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Preface 



The CQRE [Secure] conference provides a new international forum giving a close-up 
view on information security in the context of rapidly evolving economic processes. 
The unprecedented reliance on computer technology has transformed the previous 
technical side-issue "information security” to a management problem requiring 
decisions of strategic importance. Thus one of the main goals of the conference is to 
provide a platform for both technical specialists as well as decision makers from 
government, industry, commercial, and academic communities. The target of CQRE is 
to promote and stimulate dialogue between managers and experts, which seems to be 
necessary for providing secure information systems in the next millennium. 

Therefore CQRE consists of two parts: Part I mainly focuses on strategic issues of 
information security, while the focus of Part II is more technical in nature. This 
volume of the conference proceedings consists of the reviewed and invited 
contributions of the second part. 

The program committee considered 46 papers and selected only 15 for full 
presentation. Eor the participants’ convenience we have also included the notes of the 
invited lectures and short workshop talks in this volume. 

The selection of papers was a difficult and challenging task. I wish to thank the 
program committee members who indeed did an excellent job in reviewing and 
selecting the papers and providing useful feedback to authors. Each submission was 
blindly refereed by at least three reviewers to make the selection process as fair and 
objective as possible. The program committee was assisted by many colleagues who 
reviewed submissions in their field of expertise. My thanks to all of them. 

I would also like to thank the entire CQRE-team for their kind assistance in organizing 
this event. My special thanks to our hosts from Messe-Diisseldorf GmbH and 
especially to N. Mizera, M. Kotschedoff, S. Spamer, A. Viefers, and B. Wagner who 
greatly contributed to the success of this challenging project with their untiring 
engagement and timely decisions. Eurthermore I would like to thank the team from 
Brodeur-Kohtes & Klewes around B. Boendel and my colleagues T. Gawlick, A. M. 
Schlesinger, and D. Hiihnlein for kindly assisting me in administrative tasks. 

Last but not least, I wish to thank all the authors who submitted papers, making this 
conference possible, and the authors of accepted papers for updating their work in a 
timely manner , allowing the production of these proceedings. 



September 1999 



Rainer Baumgart 
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Developing Electronic Trust Policies Using a 
Risk Management Model 



Dean Povey 

Security Unit, Cooperative Research Centre for Enterprise Distributed Systems**, 
Level 12, S-Block, Queensland University of Technology, 

Brisbane Qld 4001, Australia, 
povey @dst c . edu . au 



Abstract. Trust management systems provide mechanisms which can 
enforce a trust policy for authorisation and web content. However, little 
work has been done on identifying a process by which such a policy can 
be developed. This paper describes a mechanism for developing trust 
policies using a risk management model, and relates this to a concep- 
tual framework of trust. The process uses an extended risk management 
model that takes into consideration beliefs about the principals being 
trusted and the impersonal structures and systems involved. 

The paper also applies the extended risk management model to a hypo- 
thetical case study in which an individual is making investments using 
an electronic trading service. 



1 Introduction 

Regardless of the strength or robustness of a given security mechanism, its ef- 
fectiveness is limited without the existence of trust. Security protocols, crypto- 
graphic devices and digital signatures rely on the ability to trust either one or 
more parties, mechanisms or equipment to be sure that the assets they protect 
remain safe. 

In the physical world we derive much of our notions of trust from the tangible 
nature of things. For example, we perceive the information in a book to be worth 
reading because we know that it costs a lot of money to print a book, because 
the logo on the side shows that it has been reviewed by a publisher of repute, 
and often because a library has thought it worthwhile enough to stick it on 
their shelf. Similarly, we are convinced by the stability and trustworthiness of 
a bank, because the difficulty of licensing a fraudulent organisation and the 
cost of setting up branches, ATM networks and marketing etc, would make it 
prohibitively expensive. 

However, the shift toward e-commerce means that we can no longer infer 
trust from physical, tangible things. We need to rethink our approach to trust 

** The work reported in this paper has been funded in part by the Co-operative Re- 
search Centre Program through the Department of Industry, Science & Tourism of 
the Commonwealth Government of Australia 
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SO that we can rely on the information and actions of people in a virtual world, 
with the same degree of confidence that we do in the real world. 

Trust management systems such as PolicyMaker[l], KeyNote[2], and REF- 
EREE[3] provide mechanisms that can enforce a trust policy for authorisation 
and web content. However, little work has been done on identifying a process by 
which a trust policy for such systems can be developed. 

This paper describes a mechanism for developing trust policies using a risk 
management model, and outlines a hypothetical case study to illustrate the 
usefulness of such a scheme. 

2 Risk Management 

Risk management is the total process of identifying, controlling, and minimising 
the impact of uncertain events [4]. The Common Criteria [5] outlines a model 
for relating different elements of the risk management process, which is given 
in figure 1. In general, risk management for information security involves the 
following process: 

1. Identify the assets to be protected, the threats to these assets, and the ex- 
pected impact if those assets are compromised. 

2. Identify the vulnerabilities or weaknesses which can lead to these threats 
arising. 

3. Analyse the risk (i.e. the likelihood and consequences) of the vulnerabilities 
leading to these threats being exploited. 

4. Determine whether to accept or treat the risk. 

Risk is treated using countermeasures which seek to reduce either the likeli- 
hood or consequence of a risk, or defer the risk to some third-party (e.g. insur- 
ance). Implementing a countermeasure has a cost associated with it, which must 
be balanced against the expected utility of implementing the measure. Counter- 
measures may also expose additional risks, or retain residual risk which must be 
considered in the risk management process. 

Risk management is well understood, and numerous standards and method- 
ologies exist to describe the process (e.g. [6][7][8]). Integrating risk management 
into the trust management process is therefore useful, as it will enable us to 
leverage off this existing body of work. 

3 Trust 

To integrate trust with risk management, it is necessary to provide a framework 
by which different aspects of trust can be described and related. One of the more 
comprehensive frameworks for trust was developed by McKnight, Cummings 
and Chervany, and results from a survey of sixty papers across a wide range 
of disciplines[9][10]. McKnight et al’s model provides a classification system for 
different aspects of trust, as well as a system for showing how trust can influence 
behaviour and defines the following constructs: 
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Fig. 1. Security concepts and relationships from the Common Criteria 



Trusting behaviour the extent to which one person voluntarily depends on 
another person in a specific situation with a feeling of relative security, even 
though negative consequences are possible. This construct is in effect de- 
scribing the “act” of trusting, and implies acceptance of risk (negative con- 
sequences) by the trusting party. 

Trusting intention the extent to which one party is willing to depend on the 
other party in a given situation with a feeling of relative security, even though 
negative consequences are possible. A trusting intention usually leads to 
trusting behaviour. Trusting intentions relate directly to the security policy 
which determines how entities in the system are trusted. A trusting inten- 
tion essentially specifies a willingness to trust a given individual in a given 
context, and implies that the trusting entity has made decisions about the 
various risks and benefits of allowing this trust. 

Trusting beliefs the extent to which one believes and feels confident in believ- 
ing that the other person is willing and able to act in the trusting party’s 
best interests. A trusting intention will be largely based on the trusting par- 











4 



D. Povey 



ties cognitive beliefs about the other person. McKnight et al describe four 
categories of trust belief: 

1. Benevolence - the belief that a person cares about the welfare of the 
other person; 

2. Honesty - the belief that a person makes agreements in good faith; 

3. Competence - the belief that a person has the ability to perform a par- 
ticular task; and 

4. Predictability - the belief that a person’s actions are consistent enough 
to forecast what they will do in a given situation. 

Trusting beliefs characterise the information by which we make our trusting 
decision about a given individual. They may be based on evidence, recom- 
mendations from third parties (which themselves must be trusted) , and often 
by simple intuition. We can think of trusting beliefs as being the measures 
by which we will determine whether a given entity should be trusted given a 
specific risk profile. It should be noted that not all beliefs need to be strong 
in order to trust an individual in a given context. In business transactions, 
the issue of benevolence is rarely important (although the presence of malev- 
olence may be) when compared to the issues of honesty, predictability, and 
most importantly competence. Also, some beliefs are easier to be confident 
about than others. It is usually simpler to obtain a measure of an organisa- 
tions competence (by accreditation and recommendations), and predictabil- 
ity (by past dealings); than it is to obtain a measure of their benevolence 
and honesty. 

Like trusting intentions beliefs may also be specific to a context (e.g. belief 
in the competence of a lawyer to write contracts, does not extend to their 
competence to perform neurosurgery). 

As we shall see it is trusting beliefs which are the most important to ascer- 
tain, as they will determine the confidence by which we establish our trusting 
intentions. 

System trust the extent to which one believes that proper impersonal or in- 
stitutional structures are in place to enable one to anticipate a success- 
ful future endeavour. An important difference between system trust and 
trusting beliefs, is that while trusting beliefs relate to the attributes of an- 
other person whom is being trusted, system trust relates to the actual sys- 
tem/infrastructure under which the trusted action is taking place. 

System trust is important, as it provides stability to our interactions with 
people and organisations. Legal and regulatory systems provide punitive 
mechanisms to discourage malicious behaviour, and accreditation and certi- 
fication schemes provide systems which allow us to evaluate an organisations 
competence. Like trusting beliefs, system trust is a critical component of de- 
termining a trusting intention. 

Dispositional trust the extent to which one has a consistent tendency to trust 
across a broad spectrum of situations and persons. A person may have dis- 
positional trust because they either believe in the general good nature of 
people, or they believe that they will achieve better outcomes by tending to 
trust people. 
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Situational trust the extent to which one intends to depend on a non-specific 
party in a given situation. Situational trust is related to dispositional trust 
in that it is a general intention. However, it is differentiated by the fact 
that where dispositional trust refers to a broad spectrum of situations and 
persons, situational trust is related only to a specific situation. 

Belief formation processes The process by which new beliefs are developed 
and integrated into our schema about the world. 

These constructs do not exist in isolation, but have well-defined relationships 
between them. We can clearly see that a trusting behaviour relies on the existence 
of a trusting intention, which in turn is created through the existence of one or 
more of trusting beliefs, system, dispositional or situational trust. Figure 2 shows 
the various constructs and their dependencies. 




Fig. 2. Related Trust Constructs 



McKnight et al’s conceptualisation of trust as multi-dimensional is both pow- 
erful and compelling. It also goes some way to explaining the difficulty that 
researchers in many disciplines have encountered in the formulation of a single 
broad definition of what trust is. In addition, their wide consultation of liter- 
ature from many disciplines including management, communication, sociology, 
social psychology and economics, positions their model within a context that it 
is sufficiently broad to categorise most definitions of trust. 
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4 An Extended Risk Model 

To extend the risk model to encompass trust, it is important to see the goal we 
are trying to achieve in developing a trust policy. A risk management process 
seeks to identify risks, and to determine whether those risks should be treated 
or accepted. Trust management on the other hand, seeks to identify the circum- 
stances under which we are prepared to accept risks that may be exposed by 
relying on certain entities. The key to merging these two concepts is to focus on 
risk as the common element. We can see that the definition for trust manage- 
ment can be related to the decision about risk acceptance/treatment. In effect, 
trust becomes a risk treatment option, i.e. you are prepared to accept risks if 
you trust the entities that can expose them. 

This fact is intuitively obvious to most people. The more someone is trusted, 
the more we feel we can rely on them, and consequently the more risk we expose 
ourselves to. When we talk about levels of trust, we are really discussing the 
level of risk that we are prepared to accept for relying on a trusted entity. 



4.1 Relating Trust Policies to McKnight et al’s Model 

The constructs described in section 3 provide a vocabulary for describing how 
trust is formed. By combining this process with the risk management process 
we can show how trust policies can be captured from the environment using a 
structured process. 

In McKnight et al’s model, the trusting intentions form the trust policy, 
which is essentially a statement of the conditions under which we are prepared 
to trust a given entity. As noted in section 3, these intentions are formed from 
a number of sources: our dispositional trust, our beliefs about the entity we are 
trusting, how we trust the systems which we look to to support and protect us, 
and our tendency to trust in the given situation. As described, it is important to 
consider the risks of the behaviour of entities that we intend to trust. However, 
it is also important to consider the utility or value of trusting this entity, as this 
can considerably alter the decision to accept or treat a risk, or to not allow the 
behaviour to occur. 

On further analysis, we see that there is also important interactions between 
components of the trust framework that we must consider. One of the most 
important elements of forming the trusting intention is the existence of trusting 
beliefs about an entity. These are important, as they are the only input into 
the trusting intention decision which is specific to a given entity. McKnight et 
al’s model identifies a belief formation proeess, which is an iterative mechanism 
that uses information and experience gathered from the environment to form one 
or more trusting belief about an individual. In this extended risk management 
model, the information that is input into this process is called a trust metrie. 
Trust metrics contribute to our understanding about the four trusting beliefs 
(competence, predictability, honesty and benevolence); and include: 

— information based on previous experience; 
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— recommendations from third parties; 

— certifications or qualifications; 

— memberships of professional organisations; 

— certified histories (criminal records, credit reports etc.); and 

— brand. 

As we can see from this list, the trust metrics themselves can be subject 
to trust decisions about their accuracy. Thus, the belief formation process is 
recursive. 

Another important observation, is that metrics may have a cost associated 
with them (e.g. obtaining a credit report may cost money). In developing a trust 
policy, we must be careful to ensure that the costs of gathering metrics do not 
outweigh the utility gained from trusting, and that we maximise the value of our 
metrics, such that the cost reflects the contribution to our understanding of the 
trusting beliefs. 

Figure 3 shows how these constructs relate to form an extended risk model. 



4.2 Using the Extended Risk Model for Trnst Management 

By combining the concepts from risk management with the extended risk model, 
we can establish the following process for establishing a trust policy: 

1. Identify the entities and situations you want to determine a trust policy 
for. This allows the establishment of trust contexts, which encapsulate the 
security context within which trust decisions will be made. Note that such a 
context should include both all probable trusted entities and threat agents. 

2. Identify the assets to be protected within this trust management context, 
the threats to these assets, and the expected impact if those assets are com- 
promised. 

3. Calculate the expected utility of trusting entities in the given situations. 

4. Identify the vulnerabilities or weaknesses which can lead to these threats 
arising. 

5. Analyse the risk (i.e. the likelihood and consequences) of the vulnerabilities 
leading to these threats being exploited. 

6. Determine the adequacy of existing countermeasures which may mitigate 
these risks. 

7. Determine the required beliefs and confidences in these beliefs required to 
trust (or distrust) entities which may expose the given risks. 

8. Identify the various impersonal structures or systems which have an impact 
on the given trust context. Common systems will include legal or regulatory 
frameworks. Analyse our confidence in these systems to mitigate risks. 

9. Identify metrics which will can help make decisions about the required trust- 
ing beliefs, and determine the confidence we have in the accuracy of these 
metrics (in itself a mini trust-management decision) . 

10. Evaluate the costs of gathering these metrics, and relate this to the expected 
utility, and their contribution to confidence in the trusting beliefs. Use this 
evaluation to select the subset of metrics which can be used to establish the 
trusting beliefs. 
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11. Using the metrics, establish the beliefs identified in step 7 and determine 
whether they meet the required confidence levels. 

12. Based on this evidence and the levels of system trust, either unconditionally 
accept a trusting intention for the evaluated entity in the given situation; 
reject the trusting intention; or treat the risk and reevaluate. 




Fig. 3. Extended Risk Model 



Trusted entities and threat agents may be either known or unknown. In the 
case that they are known, then the policy should include the actual measure- 
ments for this entity obtained using the trust metrics. In the case that they are 
unknown, the policy should contain the list of metrics which are required to 
determine whether an entity should or should not be trusted. 

If a trusting intention is rejected, then risk may be treated by a number of 
mechanisms: 

1. Add countermeasures which decrease the risk 

2. Defer risk to a third party (e.g. insurance) 

3. Increase the required belief trusting confidences by obtaining more or better 
metrics. 
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We can see that this process extends the risk management by integrating 
components of the trust model. 

5 Writing Trust Policies 

The outcome of the trust management process should be a policy which docu- 
ments the decisions made. The policy should include: 

Trust metrics A list of the metrics used in a trust policy, the trusting beliefs 
they measure, and their appropriateness for given trust contexts. 
Confidence levels A description of the list of qualitative or quanti tative labels 
that indicate our level of confidence in a given trusting belief. 

Trust context policies An articulation of the policy for making trusting de- 
cisions for each of the identified trust contexts. 

These items are described below. 



5.1 Trust Metrics 

One important component of the extended risk model is the use of trust metrics. 
These are mechanisms which can be used to enhance our confidence about certain 
beliefs. An important thing to note is that the trust metrics themselves need to 
be trusted, and we will have a confidence level associated with their precision. 
A trust policy should begin by evaluating the trust metrics which it will use, 
and providing confidence levels which we have in their measurements in a given 
context. 

When specifying the metrics used in the policy, the policy writer should state: 

— the contexts in which that metric is trusted; 

— the belief (s) that they measure; 

— the confidence in that metric for those contexts in which it is trusted, and 
how this is measured (NB: metrics can be evaluated using other metrics); 
and 

— the cost of evaluating that metric. 

In general, metrics should require close scrutiny as we are exposed to more 
systemic risk by trusting them. 

5.2 Confidence Labels 

The policy writer should include confidence labels which may be attached to 
particular beliefs in the trusting decision. Confidence labels can be either qual- 
itative or quantitative, and are similar to the likelihood measurements which 
are commonly used in risk management. The confidence label represents the 
likelihood that the belief it is attached to is correct, i.e high confidence means 
a high probability of correctness. Figure 4 gives an example of qualitative and 
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Label 


Quantitative 


Qualitative 


Very Low 


A belief with this label has very low confidence, it 
should only be relied on if the risk is negligible. 


p <= 0.5 


Low 


A belief with this label has low confidence, it may be 
relied on only if the risk is low. 


p > 0.5 


Medium 


A belief with this label has medium confidence, it may 
be relied on for contexts at medium risk 


p > 0.95 


High 


A belief with this label has high confidence, it may be 
relied on in high risk situations. 


p > 0.995 


Very High 


A belief with this label has very high confidence, it 
may be relied on in all situations. 


p > 0.999 



Fig. 4. Example confidence labels 



quantitative labels which might be used in a trust policy. In the quantitative 
descriptions, p is the probability that a belief with that given label is correct. 

Confidence levels may be combined to obtain new confidence measures. This 
is useful when for example a number of metrics are being used to determine 
the level of a trusting belief. Quantitative metrics can be combined, simply by 
summing the probabilities (i.e. only one of the metrics has to be correct, for the 
belief to be correct). Qualitative metrics can be combined either on an ad hoc 
basis or by using rules to combine levels (e.g. HIGH = 3 x MEDIUM). 



5.3 Trust Contexts 

These are all the situations and environments that are under consideration for 
the trust policy. For each trust context, the trust policy should detail: 

— a description of the context; 

— the risks inherent in trusting entities for a given context; 

— the expected utility of trusting entities for the given context; 

— a list of the possible trusted and threat agents; 

— a list of the beliefs and confidences required to trust / distrust entities in the 
trust context; and 

— a list of the required/available metrics appropriate to establish these beliefs. 

Contexts may be included within other contexts, for example a context which 
covers user access to a web site, may also include a sub-context for privileged 
access to files. This allows a simple hierarchical organisation of trust policies. 

If specific entities are to be trusted for a given context, these entities should be 
listed along with the rationale for trusting them. Where the policy is specifying 
criteria for trusting unknown entities, it is sometimes useful to separate out the 
requirements in terms of the type of entity which is to be trusted. For example, 
entities could be divided into customers, employees and contractors. The policy 
writer may wish to express differing levels of required beliefs and confidences in 
each of these, as there are varying levels of utility for differing classes to exploit 
threats, and as such varying likelihood of threats occurring. 
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6 Hypothetical Case Study 

In this section, the extended risk management model is applied to a hypothetical 
case study in which an individual is making investments using an electronic 
trading service. The case study serves to illustrate the complexity involved in 
evaluating a given trust decision, as it shows how making one trust decision relies 
on many other trust decisions. It should be noted that in the following example, 
some of the steps described in section 4.2 have been consolidated together. The 
aim is to give a general feel to how a trust policy can be developed using the 
mechanism, and not to explicitly show how the policy should be expressed. 

6.1 Scenario 

Bob is a naive investor, with a small amount of eash to spend. He is eontemplat- 
ing some direet share investments, and so asks his friend Aliee who is wise in the 
ways of sharemarket for her adviee. Aliee suggests he makes a number of invest- 
ments, but reeommends in partieular, a reeently listed small Internet eompany - 
ComDot.eom. She says that she has heard on the grapevine, that this eompany is 
likely to do speetaeularly well, onee it releases the next version of its new Website 
eonstruetion software. Aliee also suggests that rather than fork out for brokerage 
fees. Bob purehase the shares direetly from E-Shares, an online brokering firm 
whieh allows small purehases using a eredit eard. Bob eontemplates whether to 
take Aliee’s adviee. 

6.2 Trust Management Process 

Based on the information from Alice, Bob has to make a number of decisions 
about whether to invest in ComDot.eom shares. Doing this requires a number 
of trusting decisions, which may also involve gathering information, and deter- 
mining whether that should be trusted. Following the trust management process 
outlined in section 4.2, Bob sets about determining his trust policy. 

Establishing Trust Management Context The scenario above constitutes 
Bob’s trust management context, i.e. he is making decisions about trust within 
the context of making a specific decision about buying a certain set of shares 
using an electronic trading service. There are a number of trusting intentions 
which Bob must have before he can make this decision: 

1. Bob must trust Alice to give good advice about the shares; 

2. Bob must trust ComDot.eom to conduct their business competently; and 

3. Bob must trust E-Shares to respect his privacy, and keep his credit card 
details secure. 

In addition. Bob must also consider threats from the following sources: 

— hackers, who wish to steal Bob’s credit card details and make fraudulent 
purchases; 
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— ComDot. corn’s competitors who may wish to spread misinformation in order 
to gain market advantage; and 

— marketeers, who may wish to use knowledge of Bob’s share purchase as fuel 
for direct marketing campaigns. 

Calculate Expected Utility By purchasing the shares, Bob aims to make at 
least an 8% per annum return on his investment. By using the online trading 
scheme he hopes to save up to 20% in brokerage fees. 

Identify Assets to be Protected In this scenario. Bob determines that he 
has three main assets under threat: 

1. The cash he is investing (could be lost due to poor investment) 

2. His credit card number (there is a threat of disclosure leading to fraudulent 
transactions on his credit card). 

3. His privacy (Bob doesn’t want people knowing how he spends his money). 

Vulnerability Analysis By analysing his assets and the possible threats. Bob 
determines the set of vulnerabilities which may lead to those threats being re- 
alised. 

1. Information Bob uses to make decisions could be inaccurate. 

2. Companies which Bob invests in might go out of business 

3. E-shares might disclose private information 

4. E-shares might disclose Bob’s credit card details 

5. Hackers might intercept Bob’s credit card details over the Internet. 

Risk Analysis Eor each of the above vulnerabilities. Bob identifies the like- 
lihood and consequences of these vulnerabilities causing threats to be realised. 
Likelihood is measured qualitatively (RARE, UNLIKELY, MODERATE, LIKE- 
LY, CERTAIN), and the label UNKNOWN is used where making this judgement 
is not possible in this first analysis (usually due to lack of knowledge about trust 
levels). Consequences are also indicated qualitatively with the labels: INSIGNIE- 
ICANT, LOW, MODERATE, SIGNIEICANT, CATASTROPHIC). This analy- 
sis is summarised in figure 5. 

Identify Required Beliefs and Confidences Bob now needs to determine 
the level of required beliefs in order to accept the risks he has identified. We 
shall briefly outline these decisions for two of the identified vulnerabilities: 

Information Bob uses to make deeisions eould he inaeeurate Given the risk iden- 
tified, Bob determines that he has to trust the information he receives about 
given shares with a HIGH degree of confidence (see figure 4). In order to trust 
the information he receives. Bob determines he has to know that the sources of 
the information are competent, honest and predictable; and that his confidence 
in these beliefs must either be HIGH, or the information must be confirmed from 
other sources, such that the total confidence for each of these beliefs is HIGH. 
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Item ^ 


Likelihood 


Consequences 


Comments 


1. 


UNKNOWN 


SIGNIFICANT 


Likelihood depends on how much we trust the 
source of information 


2. 


MODERATE 


SIGNIFICANT 


- 


3. 


MODERATE 


SIGNIFICANT 


- 


4. 


MODERATE 


LOW 


Low consequences, as vendor bares liability 
for all but $50 of fraudulent transactions 


5. 


UNLIKELY 


LOW 


As above, but SSL encrypted link which 
makes it less likely. 



Fig. 5. Risk analysis Summary 



E-shares might disclose Bob’s credit card details Given the identified level of 
risk. Bob decides he needs to only have MODERATE confidence in E-shares 
competence to protect his credit card details. 



Identify and Evalnate Metrics When relying on information or actions, Bob 
determines the following metrics to be used to determine the confidence he has 
in certain beliefs about that entity. 

— previous experience with the entity (MEDIUM-HIGH confidence); 

— recommendations from other trusted sources (MEDIUM confidence); 

— established brands (MEDIUM confidence); 

— contractual obligations (HIGH confidence); and 

— regulatory controls (MEDIUM confidence). 

In addition, he determines the following additional metrics to be used where 
specific software countermeasures (e.g. the SSL enabled browser he uses) are 
used to combat risk: 

— ITSEC or Common Criteria evaluation (HIGH); 

— open source software which has been heavily scrutinised (MEDIUM); 

— well known product or vendor (MEDIUM); and 

— recommendations from other trusted sources (LOW-MEDIUM). 

Lastly, Bob determines the following metrics which are used where he is 
relying on a third party security system. 

— disclosure of security practices and procedures (LOW); 

— third party audit by a trusted auditor (MEDIUM-HIGH); and 

— certified quality system (e.g. IS09000) (MEDIUM-HIGH). 



Belief Analysis 
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Information Bob uses to make deeisions eould he inaeeurate Bob has already 
determined the following beliefs about two entities he will rely on for information: 

— Alice: Competence (MEDIUM), Honesty (HIGH), and Predictability (HI- 
GH). Alice can be trusted for information, providing the information is con- 
firmed from at least one other mediumly trusted source. These beliefs were 
determined solely from a long history of past experience with Alice. 

— Reuters News- Wire service: Competence (MEDIUM-HIGH), Honesty (HI- 
GH), and Predictability (HIGH). Reuters can be trusted to report informa- 
tion, providing it can be confirmed by at least one other LOW-MEDIUM 
trusted source. These beliefs are determined by Reuter’s good brand, rec- 
ommendations from Alice and other friends, and previous experience. 

E-shares might diselose Bob’s eredit eard details Bob determines a HIGH level 
of confidence about E-shares’ competence to keep his credit card details secure. 
This belief is determined from the existence of a certified IS09000 quality system 
and a third party audit from KPMG which E-shares describe on their web sites. 

Trusting Decisions Eigure 6 summarises Bob’s trusting decisions for each of 
the identified vulnerabilities. 



Item 9 ^ 


Trust decision 


Comments 


1. 


Accept Risk 


Trust Alice’s information (confirmed by a Reuter’s ar- 
ticle), and a policy is described for trusting subsequent 
information 


2. 


Accept Risk 


Sufficient information is available to trust ComDot- 
. corn’s competence to do well. A policy is described 
for obtaining the required trust in other companies 
whose shares Bob wants to purchase. 


3. 


Accept Risk 


Bob determines E-shares’ privacy policy is sufficient, 
and trusts them to enforce it. 


4. 


Accept Risk 


Bob is convinced by third party evidence that E- 
shares’ is competent at keeping its site secure enough 
to mitigate this risk. 


5. 


Accept Risk 


Bob trusts the SSL mechanism used to secure com- 
munications with E-shares, and trusts his browser and 
E-shares web server to implement this mechanism cor- 
rectly. 



Fig. 6. Trusting decisions summary 



6.3 Summary 

This hypothetical case study outlines the application of the trust management 
process based on the extended risk model. It should be noted that only a sub- 
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section of the full analysis is presented. Nevertheless it serves to illustrate the 
plausibility of such a technique in a real world situation. 

7 Related Work 

Khare and Rifkin [11] describe how trust management philosophies can be ap- 
plied to the World Wide Web, and describe how trust policies can be designed. 
However, Khare and Rifkin’s work is very much focused on the expression of 
trusting intentions, i.e. they describe how to express a trust policy, but do not 
provide a methodology for how to derive it. 

In [12] Jpsang describes general criteria for modelling trust in information se- 
curity and critiques some other existing formal schemes. Further work by Jpsang 
[13] develops these ideas into a formal model based on a concept called subjec- 
tive logic. Subjective logic allows us to reason about beliefs or opinion using an 
algebraic notation, and would be useful in the context of working with trusting 
beliefs in the extended risk model. 

As indicated, there have been several attempts to build trust management 
systems [1][2][3]. Of these REFEREE[3] is probably the most notable, as it pro- 
vides way to integrate with third party recommender systems like the PICS [14] 
labelling scheme. The REEEREE architecture is also extensible, making it sim- 
ple to integrate new components into the system. Euture work on automating 
the trust management process could benefit highly by utilising REEEREE as a 
platform for gathering and evaluating information. 

8 Future Work 

Decision support systems is a catch all for a wide variety of systems which 
provide computer support for decision making [4]. There is a significant body 
of work on using decision support systems for risk management [15] [8], which 
could be leveraged to develop similar systems for trust management based on 
the extended risk model. 

Another direction for this work might be the development of trust metrics 
which could be used to automatically establish beliefs about pages on the World 
Wide Web. Examples of such metrics might include: 

— number of pages linking to a given web page; 

— trusted pages linking to given web pages; 

— third party recommendations (e.g. PICS labels); and 

— number of hits on a given web page. 

Search engines might be useful sources for such information. In particular 
the Google search engine [16] already uses link counts in order to rate matched 
pages. 

Lastly, the importance of considering dynamically changing policies needs to 
be investigated. Beliefs and trust are not static, but change as new information 
is received. It would be useful to investigate how policies could be defined which 
cope with dynamic changes. 
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9 Conclusions 

This paper has presented a scheme for developing trust policies based on an 
extended risk management model. The scheme was applied to a hypothetical 
case study, which shows the utility of the process to real world applications. The 
paper has also discussed related work and given some firm directions for future 
research in this area. 
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Abstract. This work presents a novel methodology for security analysis of 
computer systems. The suggested approach, called simulated hazard injection, 
is a variant of simulated fault injection, which has already been employed with 
success to the design and evaluation of fault-tolerant computer systems. The 
paper describes the key ideas underlying the proposed methodology, and 
defines a portfolio of security measures to be extracted from experimental data. 
These concepts are incorporated in a tool for dependability analysis of Public 
Key Infrastructure (PKI) based systems. The tool is called SECURE and is 
currently under development at the University of Naples. The paper describes 
the architecture of the tool and discusses its potentialities. 



1 Introduction 

Security is of crucial importance in all automated, business-related transactions. 
Forms of electronic commerce, such as communication via electronic mail. Electronic 
Data Interchange (EDI), or the World Wide Weh, are just a few examples of crucial 
fields of application, where a security breach may have significant economic impact 
and/or legal consequences. The deployment of paperless mechanisms can he highly 
heneficial in reducing business costs and in creating opportunities for new and/or 
improved customer services. However, the electronic systems and infrastructures that 
support electronic transactions are susceptible to abuse, misuse, and failure in many 
ways. All participants, i.e. commercial traders, financial institutions, service 
providers, and consumers are exposed to a variety of potential damages, which are 
often referred to as electronic risks [1]. These may include direct financial loss 
resulting from fraud, theft of valuable confidential information, loss of business 
opportunity through disruption of service, unauthorized use of resources, loss of 
customer confidence or respect, and costs resulting from uncertainty. In order to 
mitigate risks and promulgate the deployment of information security technology on a 
wide scale in the commercial environment, appropriate security countermeasures, and 
business and legal frameworks must be established. The following services must be 
provided [2]: 
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• Confidentiality - Provides privacy for messages and stored data by hiding 
information using encryption techniques; 

• Message Integrity - Provides assurance to all parties that a message remains 
unchanged from the time it was created to the time it was opened by the recipient; 

• Non-repudiation - Can provide a way to prove that a document came from 
someone even if he/she tries to deny it; 

• Authentication - Provides two services. The first is to identify the origin of a 
message and provide some assurance that it is authentic. The second is to verify the 
identity of a person logging onto a system and after doing so, continuing to verify 
that person’s identity in case someone tries to break into the connection and 
masquerade as the user. 

For the most part, these services are enabled through public key (asymmetric) 
schemes rather than private (symmetric) schemes, for these are best able to cope with 
scalability problems. The distribution of keys, however, is difficult even in the public 
scheme if the Internet is the communication channel. On the Internet, obtaining a 
public key requires a certain level of trust. One must know that the public key belongs 
to the person one thinks it does. Someone might be masquerading as someone else. A 
solution is to work with a tmsted third-party organization called Certificate Authority 
that distributes public keys for people and organizations and that verifies the 
credentials of the people associated with the public keys. In this way trust is 
transferred from a people-tmsting-people to a people-trusting-an-organization 
scheme. This leads to a more complex organism (eventually to a world-wide global 
organism) incorporating independent certification authorities that can transfer tmst 
among themselves. Such an organism is called a Public Key Infrastructure (PKI). As 
it is evident from the above description, a Public Key Infrastructure (PKI) is a 
complex organization, consisting of policies, services, and professionals. In this 
context, a party who acts or is in a position to act in reliance upon a certificate and its 
subject public key is referred to as a Certificate User or Relying Party. A certificate 
will become a sort of global passport and a personal database that holds a wealth of 
information about the certificate subject in a very secure way. 

In order to make public-key-based technologies usable on a wide scale, PKIs must 
support a variety of services, such as: 

• Registering users - This also entails authenticating certificate applicants. This task 
can be performed either by the Certification Authorities (CAs) or by separate 
entities, called Registration Authorities (RAs), that front-end Certification 
Authority service; 

• Issuing certificates - A CA has to issue certificates to Subscribers, i.e. parties who 
are the subject of a certificate and who are capable of using, and are authorized to 
use, the private key that correspond to the public key listed in the certificate; 

• Providing Information about Certificate Status - Certificates and other relevant 
information about certificates must be delivered or made accessible online to 
Certificate Users; 

• Issuing Certificate Revocation Lists - If a certificate is to be revoked. Certificate 
Authorities needs to make potential users of the certificate aware of the revocation. 
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Such services must be provided in accordance to a set of well defined policies and 
enforced rules. These must be clearly stated in a document (or a set of documents) 
called Certification Practice Statement (CPS). 



2 Issues 

From the technological perspective, there are no major outstanding challenges. The 
field of information security has been studied for many years by governments, 
academia, and a small industry sector of specialists, and solutions to most of the 
technical problems are well-understood by the technology specialists. Until recently, 
however, these information security solutions have received little use, except for 
national security and certain internal banking purposes. Therefore, there is still a 
tremendous amount to be learned about deploying information security technology on 
a wide scale. In addition, diverse legal and business practices and controls must be 
addressed in conjunction with the deployment of technological security 
countermeasures. When trying to enforce security in this context, involving highly 
diverse organizations and communities which need to work together in complex 
ways, many interesting and subtle issues arise, of both a technical and a legal nature. 
A variety of products exist from many different vendors, which provide the 
mechanisms needed to build PKI based systems. None of them, however, incorporates 
the means to assist the system designer in identifying the optimal solution for a 
specific scenario. This may involve choosing between different potential 
architectures, and setting the most appropriate values for crucial configuration 
parameters, in order to maximize interoperability, while minimizing the risk and the 
impact of a security compromise. Increased security requirements have created an 
urging need for methodologies, models, and automated, cost-effective design and 
validation tools for trusted computer systems and infrastructures. The success of the 
engineering process will rely on the capability of the designers to measure or evaluate 
the security of each component, as well as of the overall architecture. Thus, security 
prediction, and evaluation must become an integral part of the system design activity. 
Predicting, at design time, the security level a system will achieve at operation time, 
is quite an hard task. Design methodologies, and tools must be provided, which allow 
the developer to address issues, such as: ways to stmcture relationships between 
multiple certification authorities, to associate different certification policies or 
practices with different certification paths, to find and validate certification paths, to 
develop and test certificate management protocols, and to enact legislation regarding 
PKIs to support digital signatures on commercial and governmental business 
transactions. To be efficient, the analysis must be conducted under realistic 
operational conditions, which take into account intentional and unintentional attacks, 
and other exceptional conditions. 




20 



L. Romano, A. Mazzeo, and N. Mazzocca 



3 Approach 

The approach we suggest here is based on simulation. In the design phase of complex 
systems, simulation is an important experimental means for evaluating a system under 
a variety of aspects [3]. Simulation has many advantages over analytical modeling, 
some of which are reported here: 

• Compared to analytical modeling, simulation has the capability to model complex 
systems to a high degree of fidelity without being restricted to assumptions made 
to keep an analytical model mathematically tractable; 

• Analytical modeling tools only use probabilistic models to represent the behavior 
of a system. In essence, the effect of an event on the system is predefined by a set 
of probabilities and distributions. Functional simulation tools not only use 
stochastic modeling, they also permit behavioral modeling - which does not require 
that the effect of an event be predefined - and in some cases they allow the actual 
software to be integrated and executed within the simulated model. If this is the 
case, a number of system parameters are the results of (and not inputs to) the 
simulation experiment. In addition to this, unlike analytical modeling, in which 
only a few types of distribution are commonly used for the tractability of models, 
the simulation method can handle any form of distribution, empirical or analytical; 

• Too many factors affect the behavior of a system on the field, which cannot be 
easily modeled analytically. 

Even with simulation, however, a number of issues arises. A fundamental issue is 
simulation time explosion. This occurs in two cases: 

1. When too much detail is simulated, such as modeling processes at an extreme level 
of detail; 

2. When the target system is already characterized by a high security level, i.e. the 
probabilities of experiencing security breaches is extremely low, which means 
simulation sessions require a very long time, in order to collect a statistically 
significant amount of experimental results. 

Several techniques, including mixed-mode simulation [4], importance sampling [5], 
and hierarchical simulation [6] can be used to address the time explosion problem. 

Another fundamental issue involves workloads. The impact of hazards on system 
security is workload dependent. Hence, it is important to analyze a system while it is 
executing representative workloads. Workloads for simulation experiments can be 
trace files of real applications, selected benchmarks, or synthetic programs. If the goal 
of the study is to assess the security level attained by the system in a well-defined 
operational context, a model of the real applications to be run in the target 
configuration should be used in the simulation. If the goal is to study hazard impact 
with regard to general workloads, several representative benchmarks should be 
selected for the simulation. If the objective is to exercise every functional unit and 
location, neither real applications, nor benchmarks may be appropriate. In this case, 
synthetic workloads may have to be designed for achieving the goal. The workload 
issue complicates simulation models and increases simulation time. It is essential to 
develop techniques to represent realistic workloads while maintaining reasonable 
simulation times. 
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With these ideas in mind, we have developed a novel methodology, and a framework 
for system security analysis. The technique we suggest, herein after called simulated 
hazard injection, is a variation of simulated fault injection. Simulated fault injection 
has heen successfully employed for dependahility (reliability, availability, and 
performability) evaluation of fault-tolerant computer systems [7]. In simulated fault 
injection, faults, i.e. pathological events which may originate failures, are injected to 
a simulated model of the system, in order to evaluate the capability of the system to 
cope with errors. Simulated hazard injection consists in simulating the behavior of 
the target system while hazards, i.e. attacks to system security which may originate 
security compromises, are injected to its components, in order to evaluate the security 
level attained by the system. To the best of our knowledge, such an approach has 
never been proposed in the literature before. The following definitions are used: 

• Security hazard - An unintentional or intentional attack to system security, which 
makes the system exposed to potential security breaches; 

• Security compromise - A security breach which manifests in the system. It is the 
consequence of a security hazard. 

Simulated hazard injection can be used to pick out the key features, define the 
structure, and specify the configuration parameters of the target system. 



4 Measures 

In order to evaluate the security level of the system, quantitative measures must be 
defined and support must be made available to extract such measures from 
experimental data. 

Based on the previously defined concepts of hazard and compromise, we have 
identified a portfolio of parameters, which are suited for use as security measures. 
Some basic measures are defined in the following: 

• Mean Number of Transactions Executed (MNTE) - The mean number of 
transactions executed in a secure way, before the occurrence of a security 
compromise; 

• Mean Time To Compromise (MTTC) - The mean time elapsed before the 
occurrence of a security compromise; 

• Mean Time Between Compromise (MTBC) - The mean time between the 
occurrence of security compromises; 

• Mean Time To Detection (MTTD) - The mean time elapsed before the detection 
of a hazard/compromise; 

• Mean Time To Removal (MTTR) - The mean time elapsed before the removal of a 
hazard/compromise. 

A fundamental measure is latency. Extra care must be devoted to the evaluation of 
security hazard/compromise latency. In this context, an event is said to be latent if the 
following conditions hold: 



1 . It has occurred; 




22 



L. Romano, A. Mazzeo, and N. Mazzocca 



2. It has not been activated (i.e., it has not caused any other remarkable event); 

3. It has not been detected (i.e., the system is unaware of it); 

4. It has not been removed (i.e., it has not been eliminated from the system). 

According to the above definition, it is possible to distinguish between three different 
kinds of latency, namely: 

• Hazard activation latency - The amount of time an undetected hazard stays latent, 
before it is activated (i.e., originates a security compromise); 

• Hazard/compromise detection latency - The amount of time an hazard/ 
compromise, which is present in the system, stays undetected; 

• Hazard/compromise removal latency - The amount of time an undetected 
hazard/compromise persists in the system, before it is eliminated. 

The three contributions are shown in Figure 1. In a) an hazard hits a system entity at 
time t^ (time of occurrence) and an operation (which is sensitive to the presence of the 
hazard in the entity) is performed at time h (time of activation). The time elapsed 
between t^ and t^ is the hazard activation latency. In b) an hazard/compromise affects 
an entity at time t^ and is detected at time t^ (time of detection). The time elapsed 
between t^ and t^ is the hazard/compromise detection latency. In c) an hazard hits the 
entity at time t^ and is removed at time k(time of removal). The time elapsed between 
t^ and k is the hazard/compromise removal latency. 
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Fig. 1. Contributions to security hazard/compromise latency: a) activation latency - an hazard 
hits a system entity at time t^ (time of occurrence) and an operation is performed at time t^ 
(time of activation)-, b) detection latency - an hazard/compromise affects an entity at time t^ and 
is detected at time t^ (time of detection)-, c) removal latency - an hazard hits the entity at time t^ 
and is removed at time t^(time of removal) 

It is worth noting the three contributions may combine in a variety of different ways, 
thus leading to more complicated scenarios. This makes latency evaluation quite a 
hard task. Nevertheless, careful investigation of latency data is of foremost 
importance in many cases, since it makes it is possible to: 

• Capture the underlying mechanisms which determine the security level attained by 
the system; 

• Get valuable feedback about the security bottlenecks of the current design; 
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• Evaluate the effectiveness of possible potential modifications and alternative 
strategies. 

In particular, latency evaluation is of foremost importance in all situations where 
resolution of disputes depends largely upon the accuracy with which times of events 
are known. A typical example of such a scenario, in PKI based systems, is the 
resolution of disputes upon revocation. 



5 Hierarchical Simulation 

The approach we suggest favors hierarchical simulation. Hierarchical simulation is 
based on analyzing the system behavior at different levels of abstraction with a 
simulation sub-model associated to each level. For all levels, the workload might be a 
real trace file collected on the field, or in alternative it might be generated from a 
synthetic distribution. The effects of hazards injected at a given level are 
characterized by statistical distributions and hazard models (e.g., probability and 
number of hazards affecting a component, and their effects on the component 
behavior). These distributions are to be used as inputs for hazard injection at the 
higher level model. As a consequence, hierarchical simulation requires that: 

• Distinct levels of abstraction be identified; 

• Hazard dictionaries (i.e., a mechanism to propagate hazard effects from lower level 
models to higher level models) be defined; 

• Experimental results from lower levels be propagated to upper levels. 

If properly implemented, hierarchical simulation provides extremely detailed 
modeling of specific aspects at an acceptable computing cost. 

However, establishing the proper number of hierarchical levels and their boundaries is 
not trivial. Several factors must be considered to find an optimal hierarchical 
decomposition that provides a significant simulation speed up with a minimum loss of 
accuracy, and in particular: 

1. The system complexity; 

2. The level of detail of the analysis; 

3. The kind of security measures to be evaluated; 

4. The strength of system component interactions (weak interactions favor hierar- 
chical decomposition at the opposite of strong coupling). 

Simulation for security analysis involves the injection and the propagation of hazards 
into the system under study at different levels of abstraction, such as the physical 
level, the system level, the network level, the application level, and the personnel 
administration level. We envision three fundamental hierarchical levels, which are 
illustrated in Figure 2. We believe these levels provide an efficient framework for 
accurate security analysis of a wide class of systems. The simulation, however, can be 
very time consuming and memory bound, since it has to track the propagation of 
hazards from lower levels to higher levels. 

There are several common issues that apply to hazard injection at all levels. The first 
issue is: what is the appropriate hazard model at the chosen level of abstraction? 
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There is no easy answer to this qnestion. Only field data and experience are valuable 
guides. 




Fig. 2. Hierarchical simulation for security analysis. Hazards propagate from lower levels to 
higher levels. At the System Level an hazard may he represented by an attacker tampering with 
sensitive data. This security breach may lead at the Network Level to the disclosure of 
confidential information. By using such an information, a malicious user might be able at the 
Application Level to perform an unauthorized transaction 

The second issue is: for a given hazard model (e.g. the disclosure of a private key) 
and hazard type (e.g. transient hazard), where should the hazard be injected? A 
straightforward approach is to randomly choose a location from the injection space 
(e.g. all private keys of certificate subjects in the community). This scheme is easy to 
implement, but it has two major drawbacks. The first is that many hazards may have 
similar impact (e.g. misuse of private keys of ordinary users may have comparable 
effects). The second is that many hazard locations may not be exercised at all. An 
alternative approach is to inject hazards to a few representative locations under 
selected workload. This technique can be used to evaluate the impact of locations or 
workloads in terms of system security. Alternative injection strategies should be used, 
so as to provide a broad evaluation of the system. 



6 Tool Architecture 

The result of the above discussed considerations is a simulation tool, called SECURE, 
currently under development at the University of Naples. SECURE is a powerful tool 
for security analysis, which supports hierarchical and hybrid simulation. It represents 
a versatile means of evaluating system security as early as in the first design steps. It 
makes for effective testing, since it is possible to analyze the system under realistic 
operational conditions, including driving the simulation using real traces collected on 
the field. The hierarchical approach allows the behavior of components at a given 
level to be detailed in the lower level model. The granularity of the simulated 
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activities and the quantitative measures evaluated are refined from one level to ano- 
ther. The tool provides support to rapidly model fundamental components found in 
most PKI based environments, to represent functional relationships and timing 
dependencies between them, to inject hazards to system components, to investigate 
the effects of alternative policies, to mimic the execution of procedures for detection 
and handling of security compromises, and to evaluate the effectiveness of different 
protection mechanisms and strategies. This makes it possible to extract quantitative 
measures, characterizing the probability and the criticality of potential security 
breaches, and ultimately evaluate the security level attained by the system. System 
ability to cope with security attacks is evaluated with respect to a number of different 
factors, and under varying load conditions. 

In the following, we describe the structure of the SECURE integrated tool. This 
structure is illustrated in Eigure 3. 




Fig. 3. The SECURE simulation environment. The simulation scheleton defines interactions 
between simulated system components. C-SIM provides the simulation engine and the basic 
features to produce estimates of time and performance. SECURE facilities (the Component 
Libraries, the Hazard Injectors, and the Tracing Facilities) are specifically tailored to 
addressing security-related issues 

As shown in the figure, SECURE incorporates C-SIM [8] [9]. C-SIM is a process- 
oriented discrete-event simulation package for use with C or C-H- programs. It 
provides a convenient tool which programmers can use to create models of a system 
to produce estimates of time and performance. By incorporating C-SIM objects and 
features, SECURE is able to take into account performance related issues. The 
SECURE simulation environment augments CSIM with a number of facilities, 
specifically tailored to addressing security-related issues. To achieve this, SECURE 
provides a number of features to evaluate security related aspects. 

The main components of SECURE are: 

• The component libraries 

• The hazard injectors 
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• The tracing facilities 



6.1 Component Libraries 



The component libraries provide a number of objects and features, which are a 
generalization of those typically found in most PKI based systems. Since SECURE is 
intended for use by designers of real PKI systems, the names for the base classes have 
been chosen as close as possible to the standard ones (we did not want to bother the 
designers with some new fancy names). 

The main object classes of the current implementation are: 

• The Certification Authority (CA) - Simulates an entity that issues Public Key 
Certificates (PKCs) and Certificate Revocation Lists (CRLs). Certificate applicants 
may enroll (either directly, or via a Registration Authority) and receive PKCs, 
which convey identity information about the certificate subject. This is done in 
accordance to well defined rules, as specified in the policy and in the Certification 
Practice Statement [10]; 

• The Authorization Authority (AA) - Simulates an entity that issues Attribute 
Certificates (ACs) and Attribute Certificate Revocation Lists (ACRLs). Certificate 
applicants may enroll (either directly, or via a Registration Authority) and receive 
ACs, which convey authorization information about the subject of the public key 
certificate pointed to by the attribute certificate [11]; 

• The Registration Authority - Simulates an entity that front-ends a Certification 
Authority service or an Authorization Authority service. It is in charge of 
authenticating certificate applicants, according to the enforced rules; 

• The Relying Party (or Certificate User) - Simulates a party who acts (or is in a 
position to act) in reliance upon a certificate and its subject public key; 

• The Subscriber - Represents a party who is the subject of a certificate and who is 
capable of using, and is authorized to use, the private key that corresponds to the 
public key listed in the certificate; 

• The Repository - Is a database of certificates and other relevant information 
accessible online; 

• The Link - Comes in two flavors: the Generic Link object and the Secure Link 
object. The former acts as a conduit, and is the basic means of communication. The 
latter is an embellished version of the same object, which provides a secure 
communication channel between two entities. 



6.2 Hazard Injectors 



The hazard injectors enable the designer to mimic hazard occurrences in the system 
components according to realistic scenarios. This is achieved by means of a utility 
class that has the capability of injecting hazards into other objects, thus providing the 
user with an external mechanism to handle injecting hazards into a large number of 
components. Such a strategy increases the control one has over the actions of the 
individual pieces. Since several independent external injectors can be created and 
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used, this provides the means for simulating quite complex hazard scenarios. In 
alternative to using an external entity, injectors can be incorporated in the objects. 
This provides the components with a built-in injection system, which greatly 
simplifies the simulation. It is up to the user whether to use the simple route, or to 
employ the more customizable route. 

As far as hazard duration is concerned, we distinguish between transient hazards 
(i.e., hazards which disappear after some time), and permanent hazards (i.e., hazards 
which persist in the system if proper actions are not taken). A transient hazard occurs, 
for example, if a private key is disclosed. In this case, the hazard will automatically 
disappear upon expiration of the validity period of the corresponding public key 
certificate. The hazard may also be removed prior to the expiration date of the 
certificate, if this is successfully revoked. A typical example of a permanent hazard 
is a breach into a system which hosts sensitive data. In this case a security hazard is 
present until the breach is detected and proper remedy action is taken. 

SECURE provides many options to tailor how the injection process acts. Eor transient 
hazards, it is possible to set the hazard duration to a constant value, or, for random- 
duration ones, to set normalcy parameters for the duration and the standard deviation 
(for normal sampling). It is also possible to have the injector read hazard data from a 
file collected on the field. 

As far as hazard occurrence is concerned, different analytical models for both 
transient and permanent hazards, are available. We can set the injection model to one 
of a number of predefined types, such as constantly occurring, exponentially based, 
Weib-distribution based, or Erlang-distribution based. Again, it is also possible to 
have the injector read hazard data from a file collected on the field. 



6.3 Tracing Facilities 

To help the designer to evaluate the security level attained by the system or system 
prototype under test, support has been incorporated into SECURE to extract 
quantitative measures from experimental data. The tracing facilities make it possible 
to monitor a number of events, and in particular: 

• Hazard occurrence - a security hazard manifests in a system component; 

• Hazard activation - an hazard, which was present in a system component, leads to 
a security compromise. An hazard activation thus corresponds to a compromise 
occurrence; 

• Hazard/compromise detection - an hazard/compromise, affecting the system or a 
system component, is detected; 

• Hazard/compromise removal - an hazard/compromise, affecting the system or a 
system component, is eliminated. 

The tracing facilities also provide a number of functions to extract from the collected 
data the security measures and the latency information described in section 4. 
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7 Conclusions and Directions of Future Work 

This work has presented a novel methodology to system security analysis, called 
simulated hazard injection. The approach consists in simulating the behavior of the 
target system while hazards, i.e. attacks to system security which may originate 
security compromises, are injected to its components. To the best of our knowledge, 
such an approach has never been proposed in the literature before. The methodology 
is augmented by the definition of a set of parameters, which are suited for use as 
security measures. Among these, particularly relevant is latency. Extreme detail is 
needed in the evaluation of the latency of a security hazard/compromise, in order to 
evaluate the security level attained by the system. The suggested analysis technique 
and metrics have been integrated in a simulation tool for designing PKI based 
systems. The tool is called SECURE and it provides support to rapidly model 
fundamental components found in most PKI based environments, to represent 
functional relationships and timing dependencies between them, to inject hazards to 
system components, to investigate the effects of alternative policies, to mimic the 
execution of procedures for detection and handling of security compromises, to 
evaluate the effectiveness of different protection mechanisms and strategies, and to 
extract quantitative measures, characterizing the probability and the criticality of 
potential security breaches. This ultimately allows the system developer to evaluate 
the trade-offs of alternative design solutions, with respect to a number of different 
factors. 

Euture work will aim at: 

• Demonstrating the potentialities of the suggested approach, by applying the 
methodology and the tool to the case study of a real system; 

• Combining the measures provided by the tool, in order to reflect standard criteria 
for product evaluation (such as, for example, the ITSEC common criteria). 
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Abstract. Security protocols are used to exchange information in a 
distributed system with the aim of providing security guarantees. We 
present an approach to modeling security protocols using lazy data types 
in a higher-order functional programming language. Our approach sup- 
ports the formalization of protocol models in a natural and high-level 
way, and the automated analysis of safety properties using infinite-state 
model checking, where the model is explicitly constructed in a demand- 
driven manner. We illustrate these ideas with an extended example: 
modeling and checking the Needham-Schroeder public-key authentica- 
tion protocol. 



1 Introduction 

The increasing popularity of distributed computing and applications like inter- 
net banking and electronic commerce has created both tremendous risks and 
opportunities. Many of the risks stem from security breaches, which can be ru- 
inously expensive. One of the cornerstones of security is the use of security (or 
cryptographic) protocols in which information is exchanged that is intended to 
provide security guarantees such as authentication or atomicity of cash/goods 
transactions. Although such protocols typically involve each agent sending only 
a few messages, they are extremely difficult to get right. Designing correct pro- 
tocols has been likened to “programming Satan’s computer” [1] as the protocol 
should work in the presence of a hostile, powerful, opponent who can read and 
alter messages at will. 

In response to this challenge, various formal methods have been proposed for 
analyzing security protocols. Many of them are based on either model checking or 
interactive verification. In model checking^ , systems are modeled as (finite-state) 
transition systems, where states model protocol events or agent knowledge [7, 
12, 16, 17]; the state space can then, at least in theory, be completely analyzed to 
determine if a desired property holds. Model checking methods are powerful and 
automatic, but their use as decision procedures often requires strong assumptions 
to bound the information that is analyzed. This is problematic because there are 

^ We use the term model checking in a general way that includes approaches based on 
explicit state enumeration, e.g. [4], as well as temporal logics and automata theory. 
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infinitely many messages that attackers can possibly send. An alternative is to 
develop specialized logics [2,11] or approaches for reasoning about protocols 
that do not bound the possible messages sent. For example, one can model 
protocols as sets of possible communication traces, where messages of unbounded 
size can be sent [15]. The disadvantage is that this results in an undecidable 
formalism and verification requires interactive theorem proving, which demands 
considerable effort. 

In this paper, we present a new approach to protocol analysis that combines 
complementary aspects of model checking and verification. We show how, in 
the appropriate setting, the kinds of formal models that are used for interactive 
verification can also be used for automatic, infinite-state, model checking. 

The key idea is that we use lazy data types to model the infinite state-space 
associated with a protocol. A lazy data type is one where data-type constructors 
(e.g., cons for building lists, or node for building trees) build data types without 
evaluating their arguments [6]; this allows us to represent and compute with 
infinite data (e.g., streams or infinite trees), generating as much of the data as 
is needed on demand. We use lazy data types to build a model and to compute 
with it afterwards. We formalize a protocol and attacker model (a description 
of the powers of attackers) as an infinite tree and perform infinite-state model 
checking using standard search algorithms combined with heuristics that prune 
and reorder the infinite tree in a demand driven fashion. 

The semantic formalism we use for modeling protocols and attackers is a 
trace-based interleaving semantics, motivated by, and closely following, the ac- 
count given by Paulson in [15]. Paulson models a protocol as an inductively 
defined sets of traces, where each trace is consistent with the protocol and the 
chosen attacker model. He uses these models for verification: he interactively 
proves, by induction, that violations of security properties (i.e., some bad situ- 
ation, such as a spy learning the key of an honest agent) cannot occur in any 
trace. In our work, rather than formalizing protocols as inductively defined sets, 
we formalize them as infinite trees. The nodes of the tree are traces and children 
correspond to trace extensions by a step of (some run of) the protocol or an ac- 
tion by an attacker. Hence, a protocol, along with an attacker model, defines an 
infinite tree and a security property is a property of nodes in the tree. Violations 
of security properties are found by a kind of infinite-state model checking, which 
is performed by searching the infinite tree. 

Formalizing inductively defined sets as lazy trees makes it easy to represent 
the search space in a structured way. During search we explore the infinite tree, 
constructing finite prefixes of it “on the fly”. The result is a formalism, with 
a clear semantic foundation, that we can directly use for automatic property 
checking. Moreover, the use of lazy trees makes it easy to incorporate heuristics 
into model checking: we use heuristics to lazily reorder the infinite tree, producing 
dramatic speedups in subsequent search. 

The remainder of this paper is organized as follows. In section 2 we provide 
an overview of the semantic formalism used in this paper and some background 
on lazy data types and Haskell, a lazy language that we use for our work. We 
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52) 

53) 



A B : {A,Na}k(b) 
B—^A: {Na,Nb}k(A) 
A B : {iYB}x(B) 



Fig. 1. Needham-Schroeder public-key authentication protocol 



also introduce our running example: the Needham-Schroeder public-key authen- 
tication protocol. In section 3 we explain how we formalize models of protocols 
and in section 4 we show how to carry out model checking with them. We also 
discuss heuristics and present experimental results. Finally, in section 5, we draw 
conclusions. 

2 Background 

2.1 From protocols to traces 

A protocol is a recipe that describes how agents (or principles) should act to 
achieve some goal. Protocols are often described using informal notation, for 
example as a sequence of instructions explaining the actions taken by the agents. 
Figure 1 is a typical textbook account of a protocol, in this case, a version of an 
authentication protocol proposed by Needham and Schroeder [14]. The protocol 
consists of three steps (si-ss) in which two agents, A and B, exchange messages 
in order to mutually authenticate each other. 

Each step describes an event A ^ B : X, which states that A exchanges 
the message X with B. Messages consist of atoms, like agent names and nonces 
(randomly generated strings), and are composed by tupling. Moreover, messages 
may be encrypted using keys of agents. Here, in the first step, A identifies himself 
and sends a nonce Na to B. The entire message is encrypted with H’s public 
key. In the second step, B sends Na back to A, along with his own nonce Nb, 
encrypted with A’s public key. Sending Na back authenticates B: for only B 
could return Na, at least if we assume (1) perfect encryption, (2) that only B 
knows his private key, and (3) that other agents cannot simply guess the nonce 
Na- B also sends along his own challenge, the nonce Nb, which A returns in the 
third step, thus demonstrating that she is really A. 

Although security protocols are small and appear intuitive, this appearance 
is deceptive. The above protocol was proposed in 1978 and twenty years went 
by before [10] discovered that, contrary to what was believed, the final step of 
the protocol does not authenticate A; it is possible for B to finish a run of the 
protocol with an agent who is other than she claimed to be in the first step. 
These kinds of errors, which can be exceedingly subtle, motivate the need for 
formal analysis. By giving a protocol a formal semantics we can then make 
meaningful statements about whether it has desired properties. Moreover, a 
formal semantics is the basis for rigorous analysis based on verification or, in 
our case, model checking. 
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t € P Na ^ used t 



Si 



0 ^ P {A,Na}kb e P 

t € P Nb ^ used t a' — )• B : {A,Na}kb ^ t 

S2 

f, B — A : {Na,Nb}ka ^ P 

t € P A — > B : {A,Na}kb ^ ^ B' — >■ A : {Na,Nb}ka £ * 
f, A — )• B : {Nb}kb £ P 
t € P X € synthesize {analyze (sees t)) 



S3 



t, Spy —^B:X € P 



attacker 



Fig. 2. Protocol as inductively defined set 



One way to model a security protocol, which is also popular in modeling other 
kinds of protocols, is to abstract away any possible implementation of the steps 
and instead to focus on communication between agents: one describes, like in 
figure 1, the externally observable events that take place and the order in which 
they occur. No further assumptions are made such as when an event occurs, 
or how the events of different runs of the protocol between different agents in 
a network are temporally ordered. Hence, a natural model of a protocol is the 
set of all possible traces, that is, the event sequences that can result from any 
interleaving of (possibly partial) runs. 

It is a relatively straightforward to build a formal model based on this idea. 
This has been done by Paulson, who completely formalizes such a model in 
higher-order logic, which he uses for machine supported verification. In his work, 
a protocol plus an attacker model corresponds to an inductively defined set of 
traces. Such an inductively defined set can be presented by a collection of rules 
and is the smallest set closed under application of the rules. 

Figure 2 contains the rules Paulson uses to formalize the Needham-Schroeder 
protocol. Explaining this in detail would take us too far off topic, but the idea is 
simple enough. The rules define a set of traces P, which constitute the semantics 
of the protocol. The rules should be read that when the premises (above the line) 
hold, then the conclusion (below the line) also holds. They formalize how, when 
certain conditions hold, traces can be extended with new events. 

The rule empty starts off the inductive definition: the empty trace always 
belongs to P. This models a system where no communication has (yet) taken 
place. The rules si-ss formalize the identically named steps of the protocol. For 
example, Si formalizes that any trace t £ P can be extended (“,” is used to 
extend the trace t by an event) by the event A ^ B : {A,Na}kb- That is, 
independent of what events have come before, any agent may start a run of the 
protocol with any other (here terms like A and B are variables that range over 
all agents). The premise Na ^ used t formalizes that the nonce Na is fresh, i.e., 
it doesn’t appear in any previous event in the trace t. We have used boldface 
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font to highlight the similarity with the steps in figure 1. The rules S 2 and S 3 
explain how, provided the previous steps have occurred (i.e., are contained in 
the trace), the next step can occur. Note that in S2 (and similarly in S3), for 
B to say {Na^Nb}ka to A, we require that B received {A,Na}kb^ but not 
necessarily from A. It could be any agent, masquerading as A. Said another way, 
B cannot, from this message alone, determine who sent it — this is the whole 
point of authentication! The rule attacker formalizes a commonly used attacker 
model due to Dolev and Yao [5]: the spy can say (and hence augment any trace 
t) anything that he can synthesize from analyzable parts of messages that he can 
see. The auxiliary functions synthesize, analyze and see are defined over traces 
and sets of messages, and we will shortly give our own definitions of them. 

To summarize, the rules formalize how traces can be extended with new 
events in a way consistent with the protocol and together they define the set of 
all possible communications where protocol runs can be interleaved with each 
other as well as attacker broadcasts. Hence a protocol corresponds to a set of 
traces and this provides a basis for formal analysis. A protocol then has [or lacks] 
some property, precisely when the property holds [or fails] for every [some] trace 
in the corresponding trace set. 



2.2 Lazy Data Types and Haskell 

In verification, we can formalize and reason about infinite sets. However, the 
kinds of constructs available for doing so (e.g., inductive definitions or set com- 
prehension) are usually not available in programming languages where expres- 
sions should be computable. However, programming languages offer other pos- 
sibilities for representing infinite objects: we can write functions that enumerate 
the elements of infinite sets, at least until we run out of memory or patience. In 
this sense, a function can represent an infinite set or infinitely large data. 

Lazy data types provide a principled way of representing infinite data using 
functions that can generate arbitrarily large finite prefixes on demand. The term 
lazy derives from the mechanism of lazy evaluation, which ensures that expres- 
sions or components of structures are expanded in a demand driven way and are 
not evaluated more than is necessary to provide a value at the “top level”. In 
a lazy functional programming language this allows us to write recursive defini- 
tions that represent infinite data. For example, if is the “cons” constructor 
for building lists, the two equations 

nat = from 0 

from n = n : from (n+1) 

define nat to be the infinite list [ 0 , 1 , 2 , 3, 4, ...]. The cons constructor can 
be viewed as a function that does not evaluate its arguments until they are 
required. Hence the elements of this list are generated on demand; only when 
we ask for the head of the list is the definition of from unfolded to generate 
the first element 0. Evaluation of the remainder (the tail) is again delayed, until 
computation forces further evaluation. 
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Lazy data types are extremely useful. We use them to specify the infinite trace 
sets associated with protocols. We execute these specifications and functions 
over them using Haskell [8], which is a lazy, higher-order, polymorphically typed, 
functional programming language. The equations for nat given above, and indeed 
all text in this paper in typewriter font, are Haskell programs. 

An introduction to Haskell is outside the scope of this paper. However most 
aspects of Haskell should be clear from the examples given, at least if the reader 
is familiar with modern functional programming languages. We briefly mention 
one feature though, which turned out to be very useful for describing proto- 
cols. Haskell supports a notation for specifying (possibly infinite) sets using list 
comprehension, which is analogous to set comprehension. Sets in Haskell are 
represented by lists. For example we can represent the set 

{2 X X \ l<a:<10Aa: mod 2 = 0} 



in Haskell as 



[2 * X I X <- [1 . . 10] , X ‘mod' 2 == 0] 

which is equal to {4, 8, 12, 16, 20}. The notation [c | t <- xs, p] represents 
a set where for each t in the list xs, for which the predicate p holds, we add 
an element c to the result set. In general, there can be more than one generator 
(expressions like t <- xs) as well as zero or more predicates. Moreover, in a 
generator, the term t can be a composite term, called a pattern, which is matched 
against each element of xs. Due to technical reasons, patterns in Haskell must be 
linear, which means that each variable in t can occur just once. One can often 
work around this by renaming common variables apart and adding predicates 
that equate them, e.g., translating the generator [x,x] <- xs (which selects all 
doubleton lists from xs whose elements are identical) to [x,xl] <- xs, x == 
xl. We will see applications of this shortly. 

3 Model building 

In the previous section we have described two ideas: how a protocol can be mod- 
eled as an infinite set of traces and how to represent and compute with infinite 
data. We now put these ideas together and show how to formalize protocol mod- 
els using lazy data types. For concreteness, we return to our running example, 
the Needham- Schroeder protocol; the ideas are more general. 

As observed in the introduction, our formalism is based on Paulson’s, except 
we formalize inductive definitions in a way that we can directly compute with. 
Moreover, rather than formalizing an infinite set, we formalize an infinite (trace) 
tree. The difference is slight: each node in the tree is labeled with a trace in 
the inductively defined set of traces and the layers of the tree correspond to 
stages of the inductive definition. The advantage over a formalization based on 
implementing infinite sets as lazy lists is that it is easier to compute the closure 
of a set represented as a tree since, for a monotone closure operator, the elements 
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si t = [(Says a b (Crypt b (Pair (Agent a) (mkNonce t) ))) 

I a <- [Alice, Bob, Spy] , b <- [Alice, Bob, Spy] , a /= b] 

s2 t = [Says b a (Crypt a (Pair (Nonce na) (mkNonce t))) I 

Says _ b (Crypt bl (Pair (Agent a) (Nonce na) )) <- t, 
b == bl] 

s3 t = [Says a b (Crypt b (Nonce nb)) | 

Says a b (Crypt bl (Pair (Agent al) (Nonce na) )) <- t, 
a == al, b == bl. 

Says _ a’ (Crypt al’ (Pair (Nonce na’) (Nonce nb))) <-t, 
a == a’, a’ == al’, na == na’] 

attacker t = [Says Spy a msg | a <- [Alice, Bob] , 
msg <- synth(analz Spy (sees Spy t))] 



Fig. 3. Functions for generating the trace set 



introduced at each iteration correspond to the next ply of the tree. This makes 
it easy to generate the set, without checking for repetition, and, as we will later 
see, to introduce search heuristics. 

The central data type in our work is that of a tree labeled with elements of 
some type a (a is a type variable, so we can have trees labeled by elements of 
arbitrary types). To allow for arbitrarily many children, each node contains an 
element of type a and a list of zero or more trees of type a. 

data Tree a = Node a [Tree a] 

For example Mode 1 [Mode 2 [] , Mode 17+18 [] ] belongs to the type Tree 
Int. Note that Mode is a lazy data constructor: its arguments (e.g., 17+18) are 
evaluated later, only when required for computation. 

We use data types to model agents, messages, and events. For the Needham- 
Schroeder protocol, we formalize three agents, Alice, Bob, and a Spy. Messages 
may be agent names, nonces, pairs of messages, or encrypted messages. Events 
are broadcasts of a message from one agent to another. 

data Agent = Alice | Bob | Spy 

data Msg = Agent Agent I Nonce Int I Pair Msg Msg I Crypt Agent Msg 
data Event = Says Agent Agent Msg 

Note that we abstract away from the details of cryptography and identify the 
public key of an agent with his name (and we will assume that only that agent 
has the inverse private key). Also, nonces are named by integers. 

Figure 3 contains our formalization of the steps of the protocol and the 
attacker model, based on the inductive definition of figure 2. The functions cor- 
respond to the identically named rules: each function specifies how a trace t can 
be extended. For example, si uses set comprehension to iterate over all pairs 
of agents a and b (a and b are variables ranging over agents) and states that 
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analz a hs = 

let inj xs = xs 

fst xs = [x I Pair x y <- xs] 
snd xs = [y I Pair x y <- xs] 
decrypt xs = [x | Crypt ag x <- xs, ag == a] 
in closure (inj ‘or‘ fst ‘or‘ snd ‘or‘ decrypt) hs 

synth hs = 

let inj xs = xs 

agent _ = [Agent a | a <- [Alice, Bob, Spy]] 
crypt xs = [Crypt ax | x <- xs, a <- [Alice, Bob]] 
pair xs = [Pair x y | x <- xs, y <- xs] 
in (inj ‘or‘ agent ‘or‘ crypt ‘or‘ pair) hs 

sees a t = foldr (\x r -> (seesl x) ‘union* r) emptyset tr 

where seesl (Says _ b x) = if a == b I I a == Spy then [x] else [] 

or f g = \xs -> (f xs) ‘union* (g xs) 



Fig. 4. Formalizing the attacker’s capabilities 



the event Says a b (Crypt b (Pair (Agent a) (mkMonce t))) can be used 
to extend any trace. The auxiliary function mkNonce generates a fresh nonce 
(not occurring in the trace t); hence this formalizes A — > 5 : {A,Na}kb- The 
function s2 (and similarly s3) formalizes that an extension corresponding to the 
second step of the protocol is allowed only when the trace contains the first step. 

The last function, attacker formalizes the attacker model. This uses the 
auxiliary functions given in Figure 4.^ The function analz decomposes messages 
into their analyzable parts, e.g., the parts of pairs. Looking into an encrypted 
messages requires the corresponding key (so we assume perfect cryptography). 
We use synth to build messages from known parts and sees formalizes that the 
spy can see all communication that has taken place (i.e., is in the trace). 

To formalize the model itself, we employ a function, which given (1) an initial 
state, init, and (2) a function, extension, mapping states to lists of successor 
states, formalizes an infinite tree. 

build_tree extension init 

^ In addition, closure takes a function f and a set s and applies f to s until a 
fixedpoint is reached. Not that our formalization differs here slightly with respect 
to Paulson’s. He computes the closure in both synth and analz, whereas we only 
compute the closure in analz; the former is always infinite and the latter is always 
finite. Formalizing an infinite set is not a problem in a lazy setting; we could do 
this with a stream. However, we have avoided this as it would result in an infinitely 
branching tree (instead of a finite branching tree with infinite length branches), which 
would complicate the application of reordering heuristics. Instead, we perform just 
one synthesis step, and spread the closure computation down (instead of across) the 
infinite tree. 
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= Mode init (map (build_tree extension) (extension init)) 

The root of the tree is labeled by init and, at each ply, extension is applied to 
generate the successors, upon which build_tree is recursively applied. Depend- 
ing on the extension function, build_tree formalizes a tree of finite or infinite 
depth, which is finitely or infinitely branching. 

We complete our specification by applying the above function to formalize p, 
the model itself. The initial state consists of the empty trace and the extension 
function computes successor states by extending traces using the functions in 
figure 3. 

ext t = map (\x -> ins x t) extensions 

where extensions = ((si ‘or‘ s2 ‘or‘ s3 ‘or‘ attacker) t) 

p = build.tree ext [] 

The specification of the model is direct and concise. The corresponding 
Haskell code takes just over a page. 

4 Mo del- checking 

We have formalized an infinite-state model as a lazy tree. Here we show how to 
perform infinite-state model checking based on lazy state-enumeration: we can 
search the state space for attacks, constructing parts of the tree on demand. For 
protocols/attacker models that produce infinite trees, this constitutes a semi- 
decision procedure. It is a decision procedure when the trees are finite. 

If there is an attack, it will be present in a trace located at some node in 
the tree p. Finding this node, however, may not be easy. The tree is not only 
infinitely deep, it has a large branching factor. For example, the first ply has 12 
nodes; each node contains a singleton trace and together the 12 traces represent 
all the ways that any two distinct agents can start a run of the protocol as well 
as all the messages that the spy can send. 

[Says Alice Bob (Crypt Bob (Pair (Agent Alice) (Nonce 0)))] 

[Says Alice Spy (Crypt Spy (Pair (Agent Alice) (Nonce 0)))] 

[Says Bob Alice (Crypt Alice (Pair (Agent Bob) (Nonce 0)))] 

[Says Bob Spy (Crypt Spy (Pair (Agent Bob) (Nonce 0)))] 

[Says Spy Alice (Crypt Alice (Pair (Agent Spy) (Nonce 0)))] 

[Says Spy Bob (Crypt Bob (Pair (Agent Spy) (Nonce 0)))] 

[Says Spy Alice (Agent Alice)] 

[Says Spy Alice (Agent Bob)] 

[Says Spy Alice (Agent Spy)] 

[Says Spy Bob (Agent Alice)] 

[Says Spy Bob (Agent Bob)] 

[Says Spy Bob (Agent Spy)] 

(Note that for the empty trace, the spy is unable to say much of interest — 
this quickly changes as the traces grow.) The second ply has 314 nodes and the 
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sortPly f t = mapBranches f t 

where mapBranches f (Hode a 1) = Node a (map (mapBranches f) (f 1)) 

p’ = sortPly f (prune p) 
where f = sortBy cmp 

cmp (Node tl _) (Node t2 _) = 
if wl < w2 then LT 
else if wl == w2 then EQ else GT 

where wl = weight (head tl); w2 = weight (head t2) 
weight e = (protStep e) + (fromSpy e) 

protStep (Says _ x (Crypt xl (Pair (Agent _) (Nonce n) ))) = 
if X == xl then 1 else 10 

protStep (Says _ a (Crypt al (Pair (Nonce na) (Nonce nb)))) = 
if a == al then 2 else 10 
protStep (Says _ b (Crypt bl (Nonce nb))) = 
if b == bl then 3 else 10 
protStep _ = 10 
fromSpy (Says al a2 _) = 

if (al == Spy II a2 == Spy) then 0 else 4 
prune t = f ilterBranches (\x -> protStep (head x) <= 3) t 



Fig. 5. Heuristics for pruning and reordering the tree 



third 17,529. Such an exponential branching factor means that standard search 
algorithms are unlikely to succeed in finding even relatively simple attacks that 
might reside at shallow depths. Therefore, we use heuristics both to prune the 
search tree as well as to reorder the way it is searched. 

Figure 5 displays the heuristics we use, which are based on two simple ideas. 
First, the protocol specifies events of a particular format: agents taking part in 
the protocol only send certain kinds of messages. The spy, however, has con- 
siderably more freedom and, as a result, many traces contain events that could 
not have resulted from some step of the protocol and have no consequences as 
they will not provoke any response from honest protocol participants. The first 
heuristic is to prune these traces and their successors. Second, we assign prior- 
ities to events and give the highest priority to those that could arise from the 
first step of the protocol followed by the second and then the third. Moreover, 
we give events a higher priority when they involve the spy. This priority is input 
to a function, sortPly, which sorts, according to priority, the nodes on a ply. 

Applying the heuristics to p yields p ’ . The use of lazy data types here allows 
us to separate search from pruning and ordering heuristics: conceptually, the 
heuristics map the infinite tree p into another, p’, which we can later search. 
In reality, lazy evaluation applies the heuristics in a demand driven way during 
search to explore first parts of the tree that contain potentially interesting dialogs 
with the spy. 
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We model check the improved search space using standard search algorithms. 
We found most useful an implementation of iterative deepening search, ids, that 
iterates bounded depth first search with bounds 0, 1, 2, ... . 

ids pred t = flatten [ idsn n pred t I n <- [0 ..]] 

idsn n pred (Node a 1) = 
if n == 0 then (if pred a then [a] else [] ) 
else if pred a then (a: rest) else rest 

where rest = flatten (map (idsn (n-1) pred) 1) 

The result returned by ids is a stream (lazy list) of states for which pred holds. 

Formalizing an appropriate instance of pred that characterizes security vi- 
olations turned out to be surprisingly difficult. Attacks manifest themselves as 
traces where the spy learns secrets, or takes on identities, which he shouldn’t 
and it is non-trivial to characterize such traces in a general, high-level, way. In 
our case, we encoded specialized predicates over traces to formalize violations 
of particular security properties. For example, we can formalize “after a run of 
the protocol, B fails to authenticate A” as: agent B gets a nonce from (an agent 
claiming to be) A in format of step 3 (so the run is complete) that he sent to a 
different agent C in format of step 2, which the spy can anafyze. 

attack [] = False 

attack (Says a b (Crypt bl (Nonce nb)):tr) = 
if b == bl then (sent tr && analyze) else attack tr 
where sent [] = False 

sent (Says b2 c (Crypt cl (Pair (Nonce _) (Nonce nbl) ) ) : esrest) = 
(bl == b2 kk nb == nbl kk c == cl && c /= a && c /= b) 

I I sent esrest 

sent (_: esrest) = sent esrest 

analyze = elem (Nonce nb) (analz a (sees Spy tr) ) 
attack (_:tr) = attack tr 

With aff the pieces in hand, we can now modef-check. The command 
head (ids attack p’) 

appfies ids to the optimized tree, and head forces the computation of the first 
efement of the stream, which is returned as the resuit. The resuit of this search 
is a trace that represents a version of the “man in the middie” attack on the 
Needham-Schroeder protocoi, first identified by [10]. 

[Says Alice Spy (Crypt Spy (Pair (Agent Alice) (Nonce 0))), 

Says Spy Bob (Crypt Bob (Pair (Agent Alice) (Nonce 0))), 

Says Bob Alice (Crypt Alice (Pair (Nonce 0) (Nonce 2))), 

Says Alice Spy (Crypt Spy (Nonce 2) ) , 

Says Spy Bob (Crypt Bob (Nonce 2))] 

The trace, read top down, fists the events that constitute the attack. In this at- 
tack, Aiice starts the protocoi (first step) with the Spy. The Spy takes advantage 
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of this by starting another run of the protocol with some other agent, here Bob, 
passing on Alice’s message. When Bob responds with his own nonce (third step) , 
Alice assumes that it came from the spy.^ She then sends back the nonce to the 
Spy (fourth step) who uses it to convince Bob that he is Alice (fifth step). This 
attack shows that if Alice talks to someone who has the powers of an attacker, 
then this can be used to take on her identity. Hence, this protocol is too weak 
to actually authenticate the initiator. 

This attack, which involves a trace of length 5, is found on the fifth ply of 
p’; the search requires 13 CPU seconds on a 400 Megaherz PC. Model checking 
with pruning, but no reordering, finds a solution in just over a minute. Without 
pruning, our computing resources were inadequate to find an attack. 

5 Conclusions 

Semantic models provide a foundation for interactive verification. We have shown 
how such models, in the context of a lazy programming language, can be used to 
formalize and automate the analysis of security protocols. Our empirical results 
are encouraging and provide evidence for the suitability of our approach. 

There are a number of directions for future work. First, we would like to 
carry out more ambitious case studies. To support this, it would help to be 
able to generate formal models from high-level descriptions (as in figure 1) of 
security protocols and attacker models; furthermore, it should be possible to 
use these descriptions to generate automatically search heuristics like those we 
considered. Second, our formalization of the attack predicate in section 4 is ad 
hoc. We would like to develop more principled, high-level, ways of specifying 
security properties. Perhaps using predicates about agent belief, like those in 
the BAN logic [2], could help, although work is required to give such predicates 
meaning with respect to the kinds of models we used. Finally, we have shown 
that it is possible to take models from verification and recast them in a setting 
where they become more computable. The result, of course, is still completely 
formal. Hence, it would be interesting to use our models for both model checking 
and inductive theorem proving. 
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r c i 

uit alarg numb r of ars had pass dfromth introduction of rpan t/Int r- 
n t until it start d to b com cl ar that th Int rn t ould b com a hid 
for carr ing -comm rc . In th b ginning, this n t ork as larg 1 of militar 
int r st and us d b acad mics, and traffic as limit d to mail and hi trans- 
f rs using ftp. arg collaborati distribut d computing as thought to b an 
application, but did not mat riali . With th introduction of as to us us r 
int rfac s bas d on HTML, acc ss b cam possibl for th mass s, causing both 
th numb r of us rs and th int r st in conducting comm rc to gro rapidl . 
On of th n t major st ps hich promis s to bring a larg incr as in Int rn t 
us and ff cti n ss is an impro d pa m nt infrastructur (in a r g n ral 
s ns ). On factor commonl b li d to ha damp n d th possibiliti s for, 
and int r st in, 1 ctronic comm rc has b n th lack of such an infrastructur . 

hus, practicall mplo abl -comm rc has to dat b n bas d on isting 
pa m nt structur s, i . cr dit cards, h s ho r, ha s ral prop rti s 
that mak th m inappropriat for us o r th Int rn t; som of th s includ 

th ir larg o rh ad, risks r lat d to inappropriat us , and incon ni nc of us 

- particular! for small pa m nts. 

o, it s ms that alt rnati and simpl r m thods of pa m nt ar r quir d. 
h lack of such simpl sch m s can b plain d b “th chick n and th gg 
probl m,” nam 1 , ithout a larg isting m rchant bas , th n d for pa m nt 
sch m s is 1 ss acut , and ithout a orking pa m nt sch m , m rchants ar 
unabl to nt r th Int rn t mark t. noth r probl m has b n that financial 
institut s traditionall ar r cons r ati , particular! h n it com s to tr ing 
out n and h r tofor unpro n pa m nt m thods. 

11 of th s probl ms ar , ho r, graduall fading a a : substantial ork 
is b ing p rform d on impl m nting public k infrastructur s. rchants ar 

b coming a ar of th strong pot ntial of th Int rn t mark tplac and ar 

making th ms 1 s r ad to nt r it quickl , and som banks ar starting to m- 
plo cr ptograph rs and s curit p rts, making it asi r for th m to aluat 
t chnolog -r lat d risks. 

It s ms that it is no long r a qu stion h th r th r ill b W b-bas d 
pa m nt sch m s. Ho r, a qu stion that r mains is hat t p of sch m (s) 
ill b mplo d and ho soon, o som t nt th qu stion of hat sch m s 

ill b dominant ma b r sol d not b th consum r, but ia go rnm nt 
int r ntion and bank pr f r nc s, and b corporat sponsorship. It is lik 1 , 
though, that man sch m s ill co- ist at 1 ast for a f ars, alio ing th 
consum r to stat d sir d pr f r nc s. 

r ptographic r s arch has produc d s ral important pa m nt r lat d no- 
tions and prop rti s of sch m s o r th last f ars. h s includ , among 

oth rs, th issu s of anon mit , r okabl anon mit and fairn ss, crim pr n- 

tion, micropa m nts, smart card and bas d sch m s, soft ar -onl sch - 

m s. It s ms that much has b n achi d, t sine global or id usag has 
not b n achi d, it ma b th cas that th r is still a lot of n issu s to 

b d alt ith and much t chnological ork to b don . his is an int r sting 
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issu that n ds to b discuss d and amin d. h suitabilit of th r s arch 
r suits to th actual probl ms fac d b financial institutions and th m rchant 
bas is anoth r moti ating issu . his gi s ris to th folio ing charact ri ation 
of cat gori s. 



a t at g ri s 

t this point should clarif that 1 ctronic pa m nts can b classifi d accor- 
ding to th acting parti s. h parti s can b busin ss-to-busin ss, consum r-to- 

busin ss, busin ss-to-consum r, busin ss-to-go rnm nt, tc. Ho r, most of 
th s 1 ctronic pa m nt n ds ha b n co r d. usin ss s can transf r funds 
to ach oth r ia H or Wir transf rs. imilarl , th can transf r funds to 
go rnm nts. urth rmor , n though th r is still th possibilit of nabling 
1 ctronic ch cks among th s ntiti s, it is still unci ar h th r or not this is an 
nhanc m nt of curr nt possibiliti s or simpl a tru busin ss nabl r. uch of 

th busin ss r lat d pa m nts and comm rc ma r 1 on s st ms hich folio 

bank-aid d busin ss to busin ss practic s hich ma b construct d as nhan- 
c m nts to “public-k infrastructur as oppos d to on d dicat d pa m nt 
s st ms. th “four-corn r mod 1” of t pical comm rc banking transactions 
that as put forth in [ K Y9 ]. 

It s ms to us that th op n probl m d manding imm diat att ntion in 
curr nt 1 ctronic pa m nt m thods is th lack of ffici nt consum r ori nt d 
pa m nt m thods ( ith r consum r to busin ss or busin ss to consum r). his 
pap r and discussion is th r for focus d on this particular part of th mark t 
(of cours , this s gm nt of pa m nts has to b conn ct d to oth r -pa m nts). 



rga i ati 

h pap r is organi d as folio s. ction 2 discuss s cr dit cards, hich ar 
b far th most promin nt m thod for 1 ctronic pa m nts. ction 3 discuss s 
1 ctronic ch cks, and ho th fit in th on-lin pa m nt ar na. ction 4 cat - 
gori s th arious propos d “cash-lik ” m thods. ction 5 gi s r pr s ntati 
ampl s of a ari t of pa m nt s st ms. W ob iousl ar not hausti in 
CO ring th man arious sugg st d sch m s and apologi for omitting man 
int r sting d signs, om of th busin ss and political issu s ar m ntion d in 
ction 6. h n, ction 7 touch s on som possibl futur sc narios, constraints 
and implications. ction conclud s th pap r. 

re i r e s 

h most common t p of pa m nt us d on-lin ar cr dit card pa m nts. h 
main r asons for this is of cours con ni nc , as of us , and b cans th th 
ar ubiquitous and omnipr s nt. Ho r, as not d abo , th ar ins cur , 
off r no anon mit , and do not alio small pa m nts. 
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— ig c sts a i abi it t a s a pa ts. ach cr dit card 

pa m nt has a fi d cost of 2 -4 c nts, plus a ariabl cost of 2-4.5%, 
d p nding on th m thod us d and th n gotiat d contract. 

h fi d costs originat from th cost of p rforming a transaction, sine 
transactions usuall in ol som t p of pap r ork, and th tra rsal of a 
propri tar n t ork r nt d b isa, ast rcard, or som oth r cr dit card 
pro id r. U banking r gulations ist hich mandat that us rs’ accounts 
b maintain d so as to nabl a m chanism for disputing pa m nts. his 
mak s r lati 1 high fi d costs una oidabl . 

h ariabl costs ar a r fl ction of th s curit probl ms associat d ith 

cr dit cards. In oth r ords, th cr dit card issu rs r co r th ir costs from 

fraud b charging th m rchants a p re ntag on th ir custom rs’ purchas s. 

or this r ason this f is ariabl , and is much high r for, sa , Int rn t 
or t 1 phon purchas s than it is for purchas s h r th ph sical card is 

pr s nt d. It also ari s b industr s ctor, ith c rtain high-fraud busin ss s 

b ing p nali d ith high r f s. 

In short, th main r ason for th s high f s is th ins curit of th original 
cr dit card d sign, hich alio s m rchants to i (and cop , and r us ) all 
of th custom r’s pri at information, 
s a r suit of th s high f s, pa m nts of 1 ss than $ cannot b mad 

ith cr dit cards ith a r asonabl profit b ing mad b th m rchants 

( sp ciall for on-lin m rchants, ho incur high r charg s). ggr gating 
small pa m nts into on r asonabl si d amount b for charging on ’s cr dit 

card is th solution curr ntl us d, but this pos s too man unn c ssar 

r strictions on both us rs and m rchants. 

— pure as s ar trac ab . spit th con ni nc of a full histor 
of on ’s purchas s, as 11 as th abilit to disput pa m nts mad ith 
a cr dit card ( sp ciall in th U ), th fact that cr dit card issu rs ha 
all th us rs’ sp nding information a ailabl pos s s rious pri ac cone rns. 

his information is sold to ad rtis rs, and is utili d int mail b cr dit 
card issu rs to targ t ad rtis m nts to th ir audi nc . rom both an thical 
as 11 as a practical p rsp cti , gi ing som on th abilit to conduct 

pa m nts should not go hand-in-hand ith kno ing th ir hr abouts, th ir 

sp nding patt rns, and th ir p rsonal pr f r nc s. 

— curit pr b s f r t cust rs. On of th bigg r probl ms ith 

cr dit card pa m nts is that all th us r’s pri at information is pos d 
to th m rchants. his alio s m rchants to ff cti 1 st al and us th ir 

custom rs’ cr dit cards. Ob iousl , this is a much gr at r thr at o r th 

Int rn t, h r th m rchant can b locat d an h r in th orld. 

his s curit probl m is manif st d in t o diff r nt a s, d p nding on 

hr th cr dit card has b n issu d: 

— or cr dit cards issu d outsid th U , th nd-custom r is h Id liabl for 
all purchas s. hus, a stol n cr dit card numb r has a dir ct impact on 
th consum r. 1 arl , this is a s rious s curit probl m, sp ciall sine 
th custom rs ha littl or no control hatso r o r th m rchants’ 
handling of th ir cr dit card information. 
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— or U -issu d cr dit cards, th r is a r gulator limit of $5 on th consu- 
m r’s liabilit in cas of a lost or stol n card numb r. In addition, most 
cr dit cards ill t picall r fund th hoi amount from a fraudul nt 
purchas , so mor lik 1 than not th custom r’s liabilit is nil. r dit 
card issu rs oft n tak ad antag of th fact that consum rs ar afraid 
of losing th ir cr dit cards b off ring th m additional “s curit guard” 
f atur s. In ss nc , this is an insuranc against th ft or loss of on ’s 

cr dit card; th probl m is that th f for this insuranc is tr m 1 

high, t picall .5 to % of th custom r’s purchas s. 

hus, in ith r cas consum rs ar unfairl p nali d for th cr dit cards’ 

o n inappropriat s curit d sign. 

3 lec r ic ec s 

0110 ing th mod 1 of ph sical pa m nts, h r cr dit cards, cash, and ch cks 

combin to dominat th mark t, a logical st p for pa m nts ar 1 ctronic 
ch cks. scrib d in an abstract fashion, th s ar s qu nc s of bits that ncod 
a alu , and using ith r digital signatur s or oth r cr ptographic constructions 
alio s a r c i r to distinguish b t n alid and in alid bit s qu nc s. 

om m thods ha ind d b n put to practic , but th r has b n no larg - 
seal adoption to dat . h bigg st missing link for th s sch m s is to put in 
plac 1 gislation go rning th us of digital signatur s and oth r cr ptographic 
functions, so that th t p s of digital agr m nts hich can b s n as binding 
can b d t rmin d. his is th r for an adaptation of th int rpr tation of ho 
ritt n signatur s ar binding. n though digital signatur s ha bn put to 
practic man ars ago, and n though th ar much hard r to forg than 
hand ritt n signatur s, th ar not 1 1 gall binding to th sam t nt that 

hand ritt n signatur s ar ( c pt in plac s h r la s r put in plac ). 

his point cr at s a s r probl m for issuing banks: lack of a cl ar r gulation 
fram ork. 

On of th larg st compon nts in th cost of ch cks is th ph sical d li r 

into and out of th cl aring hous s. tt mpts to mimic ch cks 1 ctronicall b 

pr s nting an 1 ctronic imag of ch cks cans s a larg traffic o r 1 ctronic 
n t orks, so it sol s th cost probl m onl partiall ( h r as digital signatur 
bas d ch cks ha th pot ntial for b ing much ch ap r to impl m nt). 

o, hil b li that “ch ck bas d” pa m nts ar iabl , and that th 

111 turn out to b important one th ar succ ssfull introduc d, this is not 

lik 1 to occur b for mor sp cific 1 gislati structur s ar in plac . imilarl , 
th s pa m nt m thods d p nd on a compr h nsi public k infrastructur to 

b in plac b for th can b com common and id spr ad. Whil this is on 

th a of happ ning, it has not mat riali d t. 

It is important to not that banks and financial institutions ar r lati 1 
cons r ati du to th h a il r gulat d natur of th ir industr . h r for , 
-pa m nt impl m ntations to dat ar a r clos r fl ction of pa m nts in 
th ph sical orld, and do not incorporat f atur s that ould normall com 
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to mind in an 1 ctronic sc nario. or ampl , th r is no r al-tim cl aring 
m thod for 1 ctronic ch cks, hich although impractical in th ph sical-ch ck 
orld ould mak p rf ct s ns 1 ctronicall . On possibl r ason for this is 
that banks ha built th ir busin ss mod Is around a particular a of handling 
ch cks, hich ould b in alidat d ith th a ailabilit of r al-tim cl aring. 
Ho r, as t chnolog progr ss s th banks ill ha to catch up or th ar 
at risk of b ing b pass d. 

pes f s -li e c e es 

In this s ction, ill discuss som diff r nt t p s of cr ptographicall bas d 

pa m nt sch m s, broadl r f rr d to as “ -cash” or “cash-lik ” sch m s. his 

cat gori ation is n c ssar du to th multitud of propos d s st ms and th 
diff r nc s b t n th ir approach s. 

4. at g ri i g b ri ac ti s 

s highlight d in s ction 2, consum r pri ac is a major cone rn, consid ring 
th as ith hich data mining can b p rform d 1 ctronicall . h r for , a 
significant portion of 1 ctronic pa m nt s st ms afford som 1 1 of consum r 

pri ac . W bri fl outlin th 1 Is of a ailabl pri ac in this s ction. 

c s it rf ct ri ac . Information hich can b consid r d p r- 

sonal can b gath r d at s ral stag s in a pa m nt proc ss. o b gin ith, 

for r Int rn t conn ction th I addr ss of th consum r is pos d; this 

can b us d for arious t p s of tracing and is c rtainl pri at information. On 
th oth r nd, th m rchant ma plicitl r qu st p rsonal us r information 
in ord r to compl t a purchas . 1 arl , a pa m nt m chanism cannot d al 

ith th s “out of band” information 1 aks. h r for in our cont t “p rf ct 
pri ac ” m ans that th pa m nt m chanism its If hid s all consum r-sp cific 
information. 

rf ct pri ac , fr qu ntl also r f rr d to as “us r anon mit ” can b achi - 

d in man a s. non mit ma b stablish d at th tim of acquisition of 

som t p of b ar r instrum nt, similar to th a ph sical cash pro id anon - 
mit . Or, anon mit ma b stablish d at th tim of pa m nt, ith th us of 
cr ptographic t chniqu s; in this cas , th consum r can “con inc ” a m rchant 
that th pa m nt information suppli d is corr ct, ithout r aling an infor- 
mation that could link this pa m nt to th acquisition proc ss, and th r for 
h r/his id ntit . h s t p s of t chniqu s ar call d “ ro-kno 1 dg proofs”. 

rom a cr ptographic p rsp cti , th s r th initial sch m s (bas d on off- 
lin coins) and th r bas d on “blind signatur t chniqu s” hich is mor 
ffici nt than g n ric ro-kno 1 dg proofs, h notion as put forth b haum 
[ 2] ho has b n for man ars a major propon nt of digital cash ithin th 

cr ptographic communit . h notion has b n in stigat d in th initial pap rs 
in th cr ptographic lit ratur [ ,00 9,009 , Y93, 93, 93,095]. 
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c s it kab ri ac . ri ac , no matt r ho d sirabl , ma 

cans probl ms in th r gulator and 1 gal 1 Is. In particular sine a b ar r 
instrum nt is, b d fruition, alid for pa m nts in an op n n ironm nt, th r 
ists th pot ntial for mon laund ring, bu ing ill gal goods, blackmailing, 
and oth r attacks [ 92]. o pr nt against th s , som anon mous s st ms 

alio an administrati part or a coll ction of parti s to r ok th consum r’s 
anon mit und r c rtain circumstanc s, such as a court ord r. uch r ocation 
is usuall mad possibl b forcing th consum r to ncr pt th ir pri at infor- 
mation und r th k (s) of th administrati authorit (i s). Wh n r ocation 
is ord r d, th ncr pt d data ar gi n to th authorit (i s) hich can th n 

d cr pt to obtain th consum r’s id ntit . n alt rnati to r ocation hich 
has b n r c ntl propos d, is public auditing hi of coins and acc ss to r ok d 
coins ithin this cont t. 

c s it ut ri ac r it i it ri ac c a is s. hr 

ar also s st ms hich do not mplo anon mit , usuall in th int r st of simpli- 
cit . spit th ob ious consum r ad antag of th a ailabilit of p rsonali d 
disput m chanism, compl t lack of anon mit usuall limits consum r app al. 

hus, som s st ms mplo a mid- a for pri ac . Usuall this is p rform d 
b th ntit issuing th b ar r instrum nt (th “bank”) poss ssing th consu- 
m r’s pri at information, but pr nting disclosur to third parti s, including 
m rchants. om of th s t p s of sch m s ar fr qu ntl confus d ith “p r- 
f ct pri ac ” sch m s, but th fact r mains that th bank can still p rform data 
mining on us rs’ p rsonal information; furth rmor , th bank th most lik 1 
part to p rform such mining an a , sine it poss ss s th larg st databas of 
custom r data. 



4.2 atgriigb i fa t 

In principl , a pa m nt m chanism should b abl to handl arbitrar si pa - 
m nts. Ho r, th r ar t chnical as 11 as r gulator r asons hich pr nt 
a singl sch m from co ring all possibl pa m nt t p s. 

c s f r arg a iu a ts. n rail h n a larg singl 

pa m nt is in ol d th r ist r gulator r quir m nts to r cord th pa m nt 
amounts, or pot ntiall to alio disput of pa m nts. ut n in th abs nc 
of r gulation, consum rs ar unlik 1 to us a pa m nt m chanism for larg or 
m dium alu pa m nts if th cannot (a) asil obtain transaction r cords and 
disput pa m nts, (b) b assur d that th s curit of th m chanism is ad quat 
to prot ct th transmitt d funds. On th oth r hand, proc ssing costs, as 11 as 
th tim to compl t a purchas , ar of 1 ss r importanc , sine larg pa m nts 
ar conduct d ith r lati 1 small fr qu nc from th consum r’s sid . Iso, 
anon mit is of 1 ss r importanc , sine a pa m nt trail is usuall d sirabl b 
th (la ful) consum rs to alio for transaction r cords and pot ntial disput s. 
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c s f r a a ts. In contrast to th r quir m nts for larg 
pa m nts, th prioriti s for sch m s that can b us d ith small pa m nt d - 
nominations ar (a) ffici nc , (b) anon mit , and (c) simplicit . ccountabilit , 
r cording of transactions and disput r solution ar of 1 ss r importanc - c pt 
for h n pa m nts ar aggr gat d to larg r amounts, but this can b s n as a 
form of a larg pa m nt and tr at d accordingl . o this ff ct, a sp cial cat - 
gor of sch m s has b n d lop d, traditionall call d “micropa m nts” sine 
th alio pa m nts as lo as c nts or fractions of c nts. It is important to not 
that th micropa m nt computational cost cannot b too larg and r sourc con- 
suming ( hich ould incr as th ir cost and ill d f at th ir purpos ). hus, 
t chnolog lik blind signatur s, hich could ha pro id d anon mit for small 
pa m nts, is not us ful du to its computational cost. 

4. igsfa ss(r babi istic c s) 

In th majorit of cas s, pa m nt m chanisms mplo d t rministic t chniqu s 
during th pa m nt rification proc ss. his t p of assuranc s ar traditional 
in th banking industr . Ho r, th r ar s st ms hich can obtain (computa- 
tional and oth r is ) ffici nc ad antag s b p rforming som pa m nt-r lat d 
functions in a probabilistic a , thus spr ading th ff cti “cost” of an op ra- 
tion throughout multipl transactions and cons qu ntl achi ing high r o rail 

ffici nc . 

Hr d scrib s st ms in hich consum rs pa according to a probabilistic 
mod 1, ith r honor-bas d ( ou ha to pa ach tim , and if ou ar caught not 
pa ing in a random “eh ck” ou ar charg d a multipl of th purchas pric ), 
or lott r bas d ( ou onl pa infr qu ntl , but ou pa multipl tim s th 
purchas amount), om ampl s of such sch m s ar : 

— r babi istic i g. h id a b hind probabilistic polling construction 
is to int grat a probabilistic function d fining th fr qu nc for s nding 
pa m nt to th bank, h s sch m s propos a probabilistic d posit at th 
tim of th transaction, corr lating th risk of o rsp nding to th fr qu nc 
of on-lin rification of pa m nts. ra backs of th m thod ar th n d 
for on-lin rification of us rs sol abilit and black-listing ( hich r quir s 
to maintain black-list and k p inform d ndors of an n r ok d us r). 

— r babi istic u iti g. In this s tting, a hard ar -bas d d t rministic 

sch m is combin d ith a probabilistic auditing of sp nding r cords (to 
d t ct o rsp nding). 

— r babi istic a i g. h id a is to 1 t us rs s nd bids and pick ran- 

doml a transaction as a “contract” (or s ral transactions d p nding on 
th sch m s tting) that is (ar ) d clar d as pa m nts. h us r committ d 
to th contract must finali th transaction and actuall pa th m rchant. 

4.4 at g ri i g b I p tati atf r s 

ar ar bas c s. an sch m s r 1 to som t nt on hard ar 

impl m ntations and assumptions, h s sch m s ar of t o major t p s: 
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— curit r i s ar ar . om sch m s, such as [ on], d ri th ir 

s curit ntir 1 from th hard ar us d. In [ on], us rs carr hard ar , 

and in th hard ar a stat corr sponding to th balanc k pt. Wh n a 
transaction is p rform d, this balanc is alt r d corr spondingl . 1 arl , 

such a sch m ould not b a good id a if impl m nt d in soft ar , as it 

ould alio us rs to ith r incr as th ir balanc b incr asing th count r, 
or n simpl r, b “r inding” to a pr ious stat aft r a pa m nt is p r- 

form d. In sch m s lik th abo , a probabilistic approach can b mplo d 

to limit th cost of th ch ck, b onl p rforming on-lin rification for a 
c rtain fraction of th transactions, as discuss d abo . 

— curit i pr b ar ar . In oth r sch m s, such as off-lin coin- 

bas d sch m s, th hard ar is us d to pr nt o rsp nding. n though 

th s sch m s ha m chanisms in plac to d t ct and trac o rsp nding, 

and som sch m s alio th bank to block oth r coins issu d to th fraudul nt 
us r, th us of hard ar can r due th amount of litigation, blacklisting, 
and complicat d cas s in ol ing mor than on countr . 

ft ar - sc s. h r ar man propos d sch m s that do not r 1 

on hard ar . o diff r nt cat gori s can asil b distinguish d: 

— rau is pr tab . In on-lin sch m s (for a clarifi d ampl s [96]) 

th bank or a cl aring ag nc g ts in ol d in r transaction, and rifi s 

that funds ar a ailabl . It is th r for possibl for th bank to asc rtain that 
nobod sp nds funds h /sh is not ntitl d to. h bank can rif that a 
us r is ntitl d to sp nd an amount ith r b rif ing that h has a coin (or 
similar) b aring a alid signatur , and also rif ing that this coin has not 
b n pr iousl sp nt. It rnati 1 , th transaction ma b account-bas d, 
alio ing us rs onl to acc ss funds b id ntif ing th ms 1 s as ha ing acc ss 
to an account that th bank k ps. In th latt r cas , th bank d t rmin s 

th pr s nc of th account, as oppos d to th abs nc of a pr iousl sp nt 

coin ith th lab 1 in qu stion. oth of th s approach s ha th dra back 
of th slo do n of th transaction du to th onlin conn ction ith th 
bank, and th incr as d cost du to on-lin a ailabilit r quir m nts. 

— rau is u pr tab . In micro-pa m nt sch m s, ach unit of funds is so 

small that th r is no significant risk of fraud, as th amount to b gain d is 
not substantial. Iso, this t p of pa m nt sch m is lik 1 onl to b us d 
in situations hr th r is no cl ar b n fit associat d ith a tr m ndous 

o rsp nding (such as acc ss to horn pag s, tc.). It is important to d sign 

th supporting archit ctur to pr nt accumulation of ast amounts of small 
pa m nts to b us d for som thing of high alu that can b d li r d b for 
th bank d t cts o rsp nding. ( his t p of d la is an important but littl 
studi d tool for r ducing th inc nti of misb ha ior.) 

4. at g ri i g b t I frastructur 

bas . p ciali d compani s ha bn proposing to pa for transac- 
tions b charging th s to th pa r’s phon bill. In principl , an bill could b 
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us d for this, .g., th gas and 1 ctric bill, but it mak s mor s ns to charg 
purchas s to th phon bill, as in man cas s th phon ould air ad b in ol d 
in p rforming th transaction as 11. 

I t r t bas . h n t a of pa m nt sch m s int grating pri ac pro- 
t ction, non-r pudiation f atur s and nlarging th custom r bas of 1 ctronic 
comm rc is ob iousl bas d on th Int rn t r olution. Ind d th Int rn t is 
th n ar na for comm rc and man oth r human acti iti s. h ampl s 
of -comm rc s r ic s lik ama on.com or ad monstrat th impact and 
pot ntial of th Int rn t cont t on old busin ss and trad mod Is. h n 
s tting nabl s an custom r to choos and d cid kno ing b tt r and b tt r 

th r lati alu of goods and s r ic s. Oth r mod Is of busin ss ar dir ct 

and oth r comput r quipm nt purchasing, h s sho anoth r no 1 busin ss 
mod 1 that th Int rn t nabl s. h dir ct acc ss to custom rs and r duction 
of suppl chains ithin and b t n organi ations ar p ct d to furth r n- 
hanc th conomic alu of th Int rn t. Ho r, risks and probl ms of this 

n m dium ist as 11 [ aYu9 ]. W b li that it is quit an acc ptabl 

pr diction to d clar that d dicat d pa m nt s st ms ithin th Int rn t ar na 
ar of prim importanc . 

pies f c e es 

Will ill no m ntion a f sch m s, cat gori th m gi n th abo pa m nt 
sch m ta onom , and bri fl discuss hat t p s of situations th app ar to b 
b st suit d for. 



r it ar tti g a - i c s 

t i : his sch m [ 95] is bas d on th on-lin paradigm using ba- 

sic auth ntication m thods. h ork includ som no 1 int r sting f atur s 
such as atomicit of pa m nts (a fault tol ranc f atur h r b a us r pa s 
onl for transactions h r c i s) and anon mit b usag of ps udon ms. 

h dra backs ma b th numb r of m ssag s ( )to proc ss for a tran- 
saction, and th mandator on-lin communication ith th int rm diar 
NetBill s r r. W comm nt that th issu of fault tol ranc rais d b 
th atomicit cone rn is r al and important in d plo d s st ms (s also 
[ 94, H Y96, 96, W97,XYZZ99j). 

t qu a t as : his proj ct [ 95] manag d b th Uni r- 

sit of outh rn alifornia is anoth r on-lin sch m h r us rs issu ch cks 
using a s cr t k (shar d b t n a us r and th bank) as a c rtificat of 
alidit . akn ss ma b th n d of us rs to r gist r at th banks, and 

th on-lin rification of ch ck corr ctn ss and fund a ailabilit hich is 
r quir d for ach pa m nt. Off-lin rification is a t chnical possibilit , but 
at th cost of possibl fraud (non-d t ction of bad ch cks) . his proj ct is 
an t nsion of NetCash [ 94] hich impl m nt d 1 ctronic curr nc in 
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a a som hat similar to th igicash sch m . Ho r, th t h qu 
s st m onl k ps track of tok ns in circulation, i. thos issu d but not 
air ad sp nt. 

— : I and ’s analog to a cr dit-card s tting hich 

incorporat s 1 gall -binding signatur s, and impl m nts digital signatur s as 
a tool for auth nticating us rs, m rchants, and banks, his r due s th pos- 
sibilit of fraudul nt transactions, thus bringing on-lin transactions on par 

ith ph sical-card solutions, h t chnical d tails, original d b t chnolog 
compani s: I , icrosoft and tscap orking tog th r ith th cr dit 

card compani s, ar solid, ot ho r, that th compl it of has, so 

far, hamp r d its full-seal d plo m nt. It is, in fact, too p nsi for most 
m rchants to impl m nt, and it also r quir s nd-us rs to do nload sp cific 
soft ar and to participat in a public k infrastructur - hich is not t 
firml in plac . Iso, n do s not rais cr dit cards to a suffici ntl 

high s curit standard to compl t 1 o rcom fraud, h nc cr dit cards still 

charg m rchant f s hich mak s micropa m nts prohibiti . 

— igi as : h igicash pa m nt sch m in ol d so-call d blind signatu- 

r s, hich ar standard signatur s g n rat d in a mann r that do s not alio 
th sign r to 1 arn th m ssag or th actual signatur , but onl th ir g n - 
ral format, his is don in a ithdra al phas , nabling th ntit to lat r 
b com th pa r ho holds a signatur b th bank, h n, in a pa m nt 
phas , th pa r s nds this signatur to th m rchant, ho for ards it to 

th bank, inc th signatur as ithdra n in a blind d fashion, th bank 

cannot d t rmin hat ithdra al s ssion it b longs to, but onl that it 
is a alid signatur . Upon s ing such a alid signatur , th bank rifi s 
that it has not b n d posit d air ad , and ackno 1 dg s th transaction 

to th m rchant if this has not tak n plac . lat d rsions alio ing off- 

lin purchas s ha b n d lop d ~ th s , ho r, r not impl m nt d 

du to th risk of short-t rm high- olum o rsp nding, hil b ing com- 
putational! int nsi (as oppos d to micropa m nts, b lo ). h igicash 
on-lin sch m has b n impl m nt d on arious platforms. for th nd 
of igi ash op ration, thr smart-card bas d rsions, th so-call d igi- 

ash lu ask, ist d. h s sch m s ar clos r to hard ar -prot ct d 
micropa m nts. h larg r of th s rsions ( K O , K O and 

256 ) impl m nt d hat is kno n as th optimal ast bit command 

ith compr ssion, nabling man fast pa m nts for transaction tim around 
2 ms. 



.2 r babi istic a t c s 

Whil most sch m s ar d t rministic in th a th tr at 1 galit of pa m nts, 
a f probabilistic m thods ha b n discuss d. 

— i g c s : abb r and ilb rschat [ 96] and ar cki and Od- 

1 ko [ 097], propos d sch ms hr: 
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. us rs r gist r b gi ing a first pa m nt, hich is a sign d not including 
a bank c rtificat ; 

2. subs qu nt pa m nts s nt b us rs (d p nding on th und rl ing pa m- 
nt sch m ) ar r c i d b th ndor and probabilisticall s nt to th 
bank for d posit at th tim of th transaction. 

h o rsp nding risk can b limit d to a kno n alu b d fining th proba- 
bilistic ch eking as a function of th transaction si (making larg pa m nts 
mor lik 1 to b ch ck d.) 

— Yac bi’s u iti g c : In [Yac97] a hard ar -bas d d t rministic 

sch m ith a probabilistic auditing of sp nding r cords (to d t ct o rsp n- 
ding) is propos d. his proj ct at icrosoft s arch includ s th folio ing 
f atur s: 

— smart-card id-bas d all t (tamp r-r sistant d ic ) 

— -coins sign d b th bank and stor d in th smart-card 

— duplication (doubl -sp nding pr ntion) controll d b probabilistic 
ch eking in th d ic 

— i st’s tt r : In this lott r bas d sch m [ i 97a], th id a is to 

us a chain of alu s as a book of lott r tick ts. h us r pa s ith th 

n t alu (or pr -imag ) in th book (as ill b d scrib d in th coupon 

s ction 5.5) but ith th t ist that th bank lat r announc s on of th 
tick ts as a inning tick t. If th us r sp nt th corr spending tick t, th n 
h is r sponsibl for pa ing th ndor ith th tick t alu . h lott r 

must b h Id aft r th book (of th da , of th k) is not in us an mor , 

to pr nt ch ating us rs from tr ing to n r sp nd a inning tick t. 

In a ariation of th sch m in [ i 97b] , th d cision to p rform a pa m nt is 
don b both th pa r and m rchant ho cut a standard coin-flipping 
protocol (m rchant commits to a random numb r, pa r s nds a gu ss and 
ndor d -commits) to d cid jointl if th us r should pa or not. 

ar ar as c s 

— a a u a ts : t rn and aud na ’s sch m [ 97] pro- 
pos d to d li r to ach ndor a smart-card containing a mast r k . 

Us rs bu tok ns c rtifi d b th bank using th pri at -k sch m ; 

th p rform a pa m nt b s nding a tok n to th ndor’s d ic hich 
ch cks th c rtificat in ord r to alidat th transaction, h id a is that 
onl th bank kno s th s cr t k hil an ndor can rif prop rl th 

tag auth nticit . h main s curit issu is r lat d of th mast r k storag 

on ach indi idual card sine br aking a card is qui al nt to g tting th 
sch m ’s mast r k . 

— icr - it: i st and hamir [ 96] propos d a sch m in hich man 

collisions ar found b (substantial) pr computation b th bank; and such 
collisions ar hand d out to us rs lat r. collision, hich is hard to find for 
us rs, th r b b com s th tok ns us d for comm re , much lik pr cious 
m tals for a long tim r us d for coins, h principl of th sch m is 

that h r as a lo numb r of collisions is hard to find, a larg numb r of 
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collisions is not r rtofind, th r b alio ing amorti ation. thods 

for distributing th ffort of finding collisions r r c ntl introduc d in 
[ 99]. 

bri c s : h ad antag of ha ing a unifi d sch m hich orks 

in soft ar and hard ar (assuming card r ad r/ rit r in th ) is ad o- 

cat d in [ Y9 ]. h sch m combin s soft ar bas d (on-lin ) sch m 
hich is s nchroni d ith a smartcard bas d sch m hr loading can b 
don ia th n t ork. 



.4 as a t 

— a : his anadian compan [ 1] propos s a pa m nt-b -phon s r ic 

to r gist r d custom rs. uring r gistration, ach us r is gi n a uniqu 

r gistration numb r associat d ith a p rsonal id ntification numb r ( I ) . 
One s t up ith a r gistration numb r and I , it is n c ssar to also 
s t up th accounts us rs ish to pa . his r quir s id ntif ing th pa 
(compan to b paid) and nt ring an account numb r ith that pa . his 
information is ch ck d b la s st m to nsur , as far as possibl , that 
it is alid. rom th n on, to mak a pa m nt to that account all that is 

r quir d is that us rs dial th last thr digits of th account numb r. h 

amount is nt r d and th s st m, hich confirms th nam of th pa 
and amount to b paid, n us r can modif his profil and nt r additional 
d tails ith r r garding bills air ad r gist r d or n bills to app nd to th 
list of pa s. 

— ibi / arg : 

o r c nt s r ic s, ibill [ibill] and harg [ harg ], also alio m rchants 
to charg transactions to th phon bills of th pa r, but in a slightl mor 
str amlin d mann r. Wh r as ibill focus s on th adult mark t, and parti- 
cular! subscriptions, harg pr ssl clud s this mark t. oth us a 
cone pt clos 1 r lat d to 9 numb rs, r quiring a phon call b th pa r to 
b mad in ord r for th fund transf r to occur. In ibill, this in ol s th us r 
manuall , h r as in th sch m b harg it is don ia a mod m. oth 
of th s s r ic s alio onl fi d charg s of a small ari t of d nominations, 
and so, do not alio for shopping cart t p of purchas s. n ad antag of 
this t p of s r ic is that it is as for th a rag consum r to us and 
und rstand; a dra back is that it r quir s th phon s r ic pro id r to ac- 
c pt th risks in ol d in th t p s of purchas s in ol d, hich is outsid 
th t pical busin ss mod 1 of th s compani s. 



up -bas c s 

— a p rt -ti -pass r bas sc s : arious sch m s r 1 on 

an id a from amport: i stand hamir’s PayWord [ 96], nd rson’s t 

al. Netcard [ 96], d rs n’s ch m [ d95], utla and Yung’s Pay- 

tree [ Y96b] and Haus r’s t al. MiCRO-iKP [H W96]. h id a is th 
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folio ing : tak a on - a p rmutation / (or a hash function), pick a ran- 
dom input X and it rat th application of / a larg numb r n of tim s 
to produc y = f (x) = f{f..{f{x))) and auth nticat y ith a public-k 
signatur sch m . h chain of alu s y,f~ {x),f~ (/“ (a;)),. ..a; has th 
prop rt that gi n an 1 m nt of th chain, it is hard to comput th pr - 
imag (du to th on - an ss prop rt ) but as to rif that this chain 
1 ads to , auth nticat d b th bank, h g n ral construction of a pa m- 
nt sch m bas d on this id a is to d li r to us rs tripl s of th form (a;, y, 
sign(y)); h n us rs ant to pa , th sp nd an in rs as a micro-pa m nt 

unit, utla and Yung g n rali d th chain id a to tr s. h dra back is 
again th doubl -sp nding attack; pr ntion against this attack is to ch ck 
on-lin ( hich is p nsi ) or to blacklist mal ol nt us rs (but th us r’s 
id ntit must b prop rl built in, so that forging/changing th id ntit is 
hard to do). 

— -cut r t c : 

h -count protocol d sign d b th compan chnolog [qct] is bas d 

on th chain alu id a. h card contains a k ind k and th t rminal a 

-count r d not d a: . h pa m nt protocol int grat s th folio ing st ps: 

ard s nds th k ind k to th rminal 

2. rminal r pli s ith th folio ing data: 

— chain param t rs {N,TID,CID,u) 

— amount to b paid m 

— curr nt count r alu (x ) 

3. ard comput s a; = G{S , TID, CID, N, u) and x ,x , ,x - hr 
X = F {x ) 

4. ard comput s x - and d cr as s balanc b alu m * u 

5. rminal ch cks if (a^ _ ) = x 

S is a s cr t k , F and G t o on - a functions, h 1 ngth of th chain 
d p nds on th natur of sp nding. h sp nding of mon on th road can 
b don in a location ith a b aeon or b t n t o b aeons. t o b aeon 
s tting gi s nough tim to pr par th transaction (b t n th r adings), 
th tim r quir m nt b ing 1 ss critical. On th contrar , in a on b aeon 
situation, th total transaction must b proc ss d in 1 ss than 2 ms. In this 
cas , th chain is minimal (1 ngth ) and th mpt -count r at t rminal 
is X = F(x ). h card ill simpl comput and s nd a: . 

— i i t : igital (curr ntl ompaq) s arch sch m Milicent 

[ 95] is a pri at -k solution h r brok rs, conn ct d to a c rtain 

subs t of ndors, ar in charg of s lling -coins r lat d to a ndor. h s 

ndor-sp cific coins can onl b auth nticat d b th ndor, using his pri- 
at k . h brok rs must b trust d and ha agr m nts ith ndors 
(c rtification) . his sch m is on of th initial micropa m nt sch m s. 



•6 c s it kabi it 

h anon mit coming ith th unr strict d usag of blind signatur m cha- 
nisms could 1 ad to attacks from larg -seal criminal organ! ations. In ord r to 
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r due such risks and impro control and r liabilit of anon mous pa m nt 
sch m s, th cone pt of r ocabl pri ac as introduc d. In such a s tting, pri- 
ac can b r mo d to id ntif mal ol nt us rs or trac improp rl ithdra n 
coins, scro d cash sch m introduc d in [ 92] as sch m s bas d on th fair 

blind signatur primiti [ 95] gi a good fla or of th cone pt but r qui- 

r d th rust s to g t in ol d during ithdra als (also [ K95]), d cr asing 

drasticall o rail p rformanc of th sch m . c nt orks introduc d th first 
r ocabl off-lin ( .r.t to th rust s) sch m s, bas d on publicl rifiabl 
s cr t sharing t chniqu s [ 96, ta96] or on indir ct discours proofs [ Y96] 

(s also [ Y97,d 9 , Y9 ]). 

n int r sting mod 1 from akobsson and Yung [ Y96a] introduc d th no- 
tion of Ombudsman (a go rnm nt official in charg of th custom rs d f ns 
against abus s) i Iding an ffici nt 1 ctronic mon s st m hr tracing do s 
not onl d p nd on th bank but r quir s th combin d nd a ors of th bank 
and th Ombudsman in th tracing proc ss. urth rmor , th pap r introduc d 
n t p of attacks, including bank robb r attack corr spending to an ad rs- 
ar abl to acc ss to s cr t pi c s of information, and a s of prot cting us rs 
and issu rs against th s . 

ral impl m ntations such as [ 96] bas d on th fair blind signatur 

primiti or [ ’ 96], sub-contracting th blinding to a trust and using an 

Id ntit -bas d pi c of information to achi pro abl pri ac and s curit , 

r p rform d on smart-cards, pro ing th practical alidit of such cone pts. 

eh m s bas d on public auditing for crim pr ntion rath r than r ocation 
r gi n in [ 99a, 99b] . 

6 ec 1 si ess/ li ic 1 ss es 

In ord r to app al to mainstr am custom rs, ha larg m rchant bas , and g t 

man in ol d in th pa m nt s st ms, t chnolog and oth r factors: busin ss, 
1 gal, polic and political on s ha to b r concil d. Whil th richn ss of a ai- 
labl sch m s is justifi d t chnicall (and has to b pursu d b sci ntists), th 
mainstr am solutions ha to account for man cone rns. h int gration of th 
solutions, sp ciall th global larg seal on r quir s a lot of und rstanding 
of th r gulator , financial, social and oth r asp cts of th us r bas (cli nts, 
m rchants, financial institut s (old and n ), go rnm nts, r gions and global 
mark ts). 

Int grating pa m nt t chnolog ith oth r t chnologi s (fault tol ranc , dis- 
tribut d s st ms, Int rn t int rfac s/ I’s, oth r -comm re infrastructur , 
tc.) is still chall nging sine cr ptograph is m r 1 a compon nt of th ntir 
s st m. om op n issu s ar in [ 97, W9 ]. 

What is int r sting to not is that man of th issu s d alt ith b th t ch- 

nical communit ar also issu s pr ss d in th busin ss orld (som tim s aft r 
th r r cogni d t chnicall ). an of th t chnical cone rns in th cr p- 
tographic lit ratur r i d so far, ind d, ha parall Is in th busin ss, 

1 gal and polic lit ratur . h banking industr has r port d cone rns r gar- 
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ding count rf iting on th us r sid [ a96, a97a] and risk sup r ision a oiding 
commitm nts to unback d funds on th bank sid [ a97b, a9 ]. an of th 
cone rns r garding mon laund ring is pr ss d in num rous polic ork, .g. 

in [ 96, 09 , W9 ,0 96]. ossibl 1 gal probl ms it h anon mit 

ar pr ss d in [ 95]. 

Ho r, larg seal studi s of compr h nsi t chnological solution ha not 

b n don t. h issu of conomic stabilit assuranc s that n curr nci s 
should maintain (t chnicall and oth r is ) is an important issu . h d - 
lopm nt of stabl and 11 r cogni d busin ss mod Is ill h Ip in int grating 
op rational pa m nt sch m s into th busin ss orld. h issu of ducation of 
th us r bas , mark t(s) p n tration and th o rail int gration of pa m nts as 
an infrastructur compon nt ith m rging -comm re applications is an int - 
r sting chall ng . h d p nd nci s b t n th gro th of comm re in cont nt, 
consum r habits and th n d for -cash ha to b b tt r und rstood as 11. 
r c nt int r sting anal sis of som of th r asons for th initial busin- 
ss failur s of micropa m nts is pr s nt d in [ ro99]. H also tri s to plain 

h a curr nt tr nd of r rs micropa m nts (from compani s to consum rs 

as r ards for r ading ad rtis m nt or participating in som acti it ) ma b 
mor succ ssful at th mom nt. 

7 re irec i s 

In this s ction, ill bri fl tr at som pot ntial sc narios, and discuss hat 
pot ntial constraints/ implications th ma ha on -comm re . th na- 
tur of th discussion, it is impossibl to b hausti in this pos , and 

focus onl on a f pot ntial nts, and do not consid r th implication of 

combinations or t nsions of th s . 



7. ga strict! s i a cia r pt grap ” 

In light of th curr nt d bat , it is not unlik 1 that som countri s ill impos 
r strictions on th t p of cr ptograph us d b th ir citi ns. urr ntl such 
limitations ar on bulk ncr ption and ar s t from national s curit p rsp cti . 
Ho r, this ma chang ith th lik 1 gro th of -comm re in t rms of its 
impact on local conomi s. In this cas , th flo of mon b com s as important 
to control as th flo of information (r call th abo polic pap rs m ntioning 
thr ats of -cash) . h r for , n if pa m nt sch m s ar not asil abus d for 
us for s cr t communication, local go rnm nts ar lik 1 to ant to control th 
flo of s r ic s and funds, much in th s ns of hat customs do s for its ph sical 
count rpart. his d sir ma furth r limit hat kinds of pa m nt sch m s ar 
mplo d, and ma , for ampl , fore pri ac to b com mor of a 1 gislati 
m asur than a t chnical m asur . It rnati 1 , it ma cr at mark ts for local 
pa m nt sch m s (for hich us rs njo pri ac , but ta s ar automatical! 
charg d b th local go rnm nt as a part of an transaction) , and global sch m s 
mainl mplo d for chang of curr nci s b t n local sch ms. h s , in 
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turn, ould ork as th int rfac s b t n difF r nt 1 gislati and ta domains, 
and ould ha ta ation as a main obj cti . In such a situation, “black mark t” 
chang of funds ma b com a probl m much r s mbling hat pirac is toda , 
and ould ha to b battl d ith a combination of 1 gislati and t chnical 
m asur s. 

noth r limitation ma pr nt or r strict c rtain t p s of cr ptographic 
tools to b mplo d, ith r globall or in particular countri s. his in its If 
ma cans diff r nt sch m s to b mplo d, as ill local r quir m nts on th 
functionalit of th sch m s (som thing can air ad itn ss toda ith th 
di ision b t n urop an cash cards and U. . cr dit cards.) isting cultural 
diff r nc s hich t pifi s ariations in ph sical pa m nt m thods ma migrat 
into th -pa m nt s st ms. dditionall , and as ill discuss in th n t 
subs ction, a multitud of diff r nt sch m s ma ol and b mplo d in th 
sam mark t. 

7.2 a ara ta ar s 

a m nt sch m s toda gi th impr ssion of b ing on th a of b coming a 
nich mark t in hich ha a f 1 ad rs for common t p s of pa m nts, and 
sp cial sch m s us d onl in particular situations, h r ar man r asons that 
such a ari t of sch m s ma b d plo d, ith r s mbioticall or in comp ti- 
tion ith ach oth r. hr asons ar ranging from corporat int r sts to ar ing 
r quir m nts on pa m nt sch m s bas d on th ir usag . On ampl of th s m- 
biotic us as gi n in th pr ious s ction, hil oth rs could aris to gi us rs 
b tt r functionalit , and to co r a ari t of situations, or ampl , fast and 
lo -o rh ad sch m s ar us ful for situations lik pa ing for dail commuting 
tolls, hil fr qu nt-fli r programs and th lik r quir no sp d of transactions, 
and ma put r strictions on ho funds ar transf rr d and us d (or ta d h n 
doing so), till, incorporating sch m s to alio for a consolidat d pr s ntation to 
th us r, and alio ing for (pot ntiall automatic) transf r possibiliti s gi ris 
to a much mor rsatil construction. Wh r as much of th probl m r maining 
to b sol d is that of building an appropriat infrastructur , it is also important 
to impl m nt m chanisms for monitoring (b la nforc m nt, customs, arbi- 
t rs, and oth rs). It is int r sting to notic th trad off b t n monitoring and 
pri ac h r , gi ing ris to a much mor s r pot ntial pri ac intrusion than 
hat has pr iousl b n consid r d. 

7. a c s i r pta a sis 

d anc s in cr ptanal sis ha th sam pot ntial as 1 gislation to chang th 
pa m nt sc n b limiting th alio d t p s of op rations, his ma r strict th 
us of c rtain sch m s or t p s of sch m s. It is not orth to point out that a 
ast majorit of pa m nt sch m s discuss d in th cr ptographic communit ar 
bas d on public k cr ptograph . In th unlik 1 nt of major cr ptanal tic 
br akthrough, a n approach ma b n d d. his, along ith cone rns of 1 gal 

r strictions, calls for car ful studi s on ho to impl m nt d sirabl pa m nt 
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sch m s r 1 ing on s cr t k cr ptograph or on oth r m thods or combination 
of m thods to nsur corr ctn ss of pa m nts. 



7.4 cia a c ica a g s 

1 arl , social chang s can b p ct d to ha a major impact on th fi Id. 

or ampl , if ’s b com as common as cr dit cards ar , it ill drasticall 
simplif th building of a n infrastructur for pa m nts. imilarl , t chnical 
chang s, such as a substantial incr as of th a ailabl communication band- 
idth (and th pric for it) ma aff ct hat t p s of sch m s ar mplo d. s 

an ampl , it mak s littl s ns to impl m nt off-lin pa m nt sch m s if th 

cost of communication drasticall falls, gi n th high r costs and compl it of 
such sch ms. h r is a tr nd to ards both of th s chang s. Ho r, at th 
sam tim as such chang s simplif th mplo m nt of pa m nt sch m s, th 
also incr as th s curit cone rns, as should b id nt from th ist nc of 
irus s. o far, th s ha not start d to surfac on ’s, but such an nt 

is lik 1 to onl b a matt r of tim . ik is , du to th lack of 1 ctronic pa - 

m nt sch m s in common us , irus s ha not start d to targ t th all ts of 
us rs. his, too, ma simpl b a qu stion of tim . rom a t chnical point of 
i , that should prompt mor s cur op rating s st ms to b construct d for 
th s d ic s (or not r 1 ing compl t 1 and sol 1 on th computing platform), 
as 11 as r CO r m chanisms for pa m nt sch ms. h s ma b bas d on 
automatic arbitration, support d b tracing m chanisms and d t ction m cha- 
nisms controlling “unusual” flo patt rns. h latt r, in turn, fore s patt rn 
cat gori ation, hich ma b qu stionabl in t rms of pri ac cone rns if not 
p rform d b th us r hims If, or mad non-int rpr tabl to a third part looking 
for diff r nc s in b ha ior. 



cl si 

W ha pr s nt d som of th past issu s ith th t chnolog of 1 ctronic 
pa m nts. his ar a is chall nging and promising. W b li that th n d for 
it is inh r nt, though th difficulti s in achi ing it ar t nsi and int rr - 
lat d to man mor g n ral -comm re and s cur infrastructur issu s. W 
ha sur d som protot pical ampl s from th past and th pr s nt. W 
cat gori d th t chnical solutions. W furth r r lat d th t chnolog to man 
non-t chnological constraints and discuss d possibl futur n ds, dir ctions and 
possibiliti s. Whil could not ha possibl co r all ar as and s st ms in this 
r prolific fi Id, hop ha pr s nt d th basic t chnological d lop- 
m nts (grant d, ith unint ntional omissions!). W b li ha point d to 

arious int r sting and chall nging issu s for furth r acti iti s. h s acti iti s 
ar n d d in num rous ar as: r s arch, busin ss d lopm nt, t chnical r s arch 
and d lopm nt, social, 1 gal and political studi s and oth r int rdisciplinar 
ar as r lat d to -comm re and pa m nt m chanisms. 
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r ptograp ca pro id s curit -s r ic s bas d o 11-fou d d at atics. 
k probl it appl i g cr ptograp to r al- orld probl s is, o r, 
t i t rfac to r al lif . I t is pap r i stigat a applicatio ar a r 
t is probl is r id t, i. t pr s tatio of a docu t t at is to b 
digitall sig d. 

igital sig atur s for applicatio s lik 1 ctro ic co rc r quir ig s cu- 
rit sta dards. o cou tri s a air ad propos d to b d digital sig atur s 

i to 1 gal fra orks, t ost pro i t aplbigt ra digital 
sig atur la “ ig aturg s t ” [ ,2]: is la r quir s (a o g ot r t i gs) 

t folio i g I s curit 1 Is for a s st us d for d ali g it digital 

sig atur s: 

— storag CO po 
t crit ria of I 

— CO po t for pr s 

2 . 

ot r quir ts for t basis for digital sig atur s t at ar i i 

u d r t is la . 

CO sid ri g t is 1 gal fra ork fro ate ological p rsp cti , it 
is id t t at o of t ak st co po ts is i practic a docu t i - 

r ru i g o a it a sta dard op rati g s st lik i do s: if 

au gar ( d.): ’ 7 pp. -7 

O pr g r- r ag r d rg 



t for t s cr t k (usuall a s artcard) ust t 
4 [3], a d t 

ti g a docu t (docu t i r) ust 1 1 
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aluat d at I 2, t oft ar off rs littl prot ctio agai st a i- 

pulatio . is is i particular probl atic if t platfor us d for i i g sue 

a docu t is ot “u d r co trol” of t digitall sig i g part , but b lo gs to 
t ot r part t at a ts so o to sig a docu t: It is fairl tri ial to 
a ipulat sue a s st , so a p rso sig i g a co tract or a o ord r i a 
u k o , u trust d iro t ca ot b sur at r s artcard actuall 
sig s. is could tur out to b a ajor obstacl agai st t id -spr ad us of 
digital sig atur s i practic . 

is probl is, i pri cipl , as to sol : ais t s curit 1 1 a d r quir 

a clos d, trust ort s st for appl i g digital sig atur s. fortu at 1 , t is 

solutio is tr 1 ard put i to practic , bot b caus it is p si ad 

si c d dicat d ard ar , ic ould b r quir d, si pi do s ot fit i to 
toda ’s CO puti g orld. 

is pap r propos s a prag atic approac t at r due s t risks of usi g 
digital sig atur s b it grati g a custo r’s i to t cr atio of digital 
sig atur s: is us d as a docu t i r a d it co trols t s artcard 

b u locki g t card’s sig i g fu ctio usi g cr ptograp ic as. r f r to 

t is approac as t rs r ssis ( ). do s ot i cr as 

s curit r s , si c a ca b attack d si ilarl to a . Ho r, as 
assu tata s adtrforzs r h r ap rso 

o is s to appl a digital sig atur , sue a d ic ill z r i h or 

trust ort for t at p rso t a , for i sta c , a dor’s 

t r for r gard our approac as r i r s r , aki g us rs 

of digital sig atur f 1 or co fortabl it t t c olog . otio “trust 
a plifi r” for sue a co rs t is quit pr cis 1 . ill s it s qu 1 of 
t is pap r t at t is at first sig t r straig tfor ard id a op s up a u b r 
of r i t r sti g qu stio s fro ate ological a d r s arc p rsp cti . 

pap r is orga is d as folio s: ctio 2 i troduc s t co c pts a d 

CO po ts b i d t rso al ard ssista t, ct. 3 d scrib s a d a al s s 
t cr ptograp ic protocol us d i our sc ario. ctio 4 i stigat s t r - 

quir ts of a t ork a d s r ic i frastructur for i pi ti g t 
sc ario a d propos s a i i-bas d approac for it. discuss r lat d ork i 
ctio 5 a d fi all dra co clusio s fro our ork i ctio 6. 



r 1 r i 

s artcard is a (co parabl ) ta p r-proof d ic t at off rs cr ptograp ic a d 
ot r fu ctio s t at ca b acc ss d o r a si pi 1/ it rfac . or p rfor i g 
critical fu ctio s, it is r quir d t at t 1 giti at us r is aut oris d agai st 
t card b t ri g a I cod (oft r f rr d to as card old r rificatio , 
H ) . s a s artcard as o I t rfac to i t ract dir ctl it a u a b i g, 
all CO u icatio is do ia a card r ad r usi g a k board a d scr t at is 
it r built i to t r ad r or is attac d to a co put r. It is pla d to i t grat 
k boards, bio trie s sors a d scr s dir ctl o t card, but t at is ot 
t CO o . 
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us, s artcard-bas d applicatio s r 1 upo t trust ort i ss of t 

iro t t card is orki g i . ur sc ario ai s at i pro i g t is 

situatio ; t co sists of a s cur cor co po t, t s artcard, a d a 

CO tio al, p rso al co puti g d ic , t . ot ca it r b tig tl 

coupl d b it grati g t card i to t , or t ca b coupl d b cr p- 

tograp ic as. co sid r t latt r cas , t coupli g is ac i d b t 
fact t at ac CO po t k o s t public k oft otro.K cag 
tak s plac i a s cur iro t, .g. t s artcard is p rso alis d or 

pure as d. 

It sc ario, t rol of t s artcard is to pro id bot s cur 

storag a d a trust d platfor for cr ptograp ic co putatio s, a d t 
pro id s a us r i t rfac , co puti g po r, a d additio al storag . s ari g 
of public k s abl s bot to stablis a s cur co u icatio cal if 

t ar p sicall s parat d. 

applicatio ill t picall ru o t , aki g us of its 1/ capabili- 

ti s, a d acc ss t s artcard for cr ptograp ic fu ctio s. ut it is also possibl 
to ru t applicatio o t s artcard a d us t si pi as a suppl - 

tar d ic ; t is is co parabl to t I approac [4] r a 

applicatio ru i g o t s artcard co trols t op ratio of a obil p o . 

is op to attacks si ilar to t os applicabl to a .Ho r, it is 
lik 1 t at t o r acc pts a uc or r stricti s curit polic o r 

t a o r orkstatio , .g. co c r i g t do load a d cutio of 
u k o soft ar . It is also r alistic to s t a s parat asid for p rfor i g 

critical tra sactio s sue as digital sig atur s. 

ro a prag atic i poi t, o a acc pt t as a “trust a plifi r” 

du to its atur of b i g dir ctl associat d it a p rso . o its o r, it 

is uc or trust ort t a a u k o t r i al, co troll d b stra g rs, 
locat d i a u trust d iro t. 

f r i i 1 i r 

pr s t a sc ario r t us of t ca act proc ss of 

cr ati g a digital sig atur . ur a pi d scrib s a s tti g r a docu t 

cr at d b o part , .g. a co tract off r d b a dor, is to b sig d b a 

s CO d part , t custo r. 

ur approac i ol s t folio i g co po ts: 

— or orkstatio t at is us d to cr at a docu t to b sig d. is 

could b a dor’s t r i al. 

— s artcard r ad r, it r co ct d to t is or b i g a s parat d ic . 

— t at b lo gs to t p rso o a ts to sig a docu t. 

— s artcard for sig i g a docu t b cr pti g a as alu . 

r quir t at ac of t a d t s artcard a t public k of t 

ot r o stor d, i. . t tog t r co stitut a . assu t at co po- 
ts ca CO u icat o r arbitrar co u icatio c a Is; as a a pi 

o ca figur usi g t ’si frar d i t rfac . 
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5)o) Check PDA's signature 

b) Extract document 
hash 

c) Sign with card's 



2) Transfer 
Document 
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3) Check Document, 
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secret key if pleased 



The P he e fSggDce 

ir ’s i ft c ri 

igur outli s t i t r orki g of t co po ts for i g up our approac : 

docu t to b sig d is cr at d o t , a d t is docu t is stor d 
i a for at t at ca b displa dot 

2. docu t is tra sf rr d to t 

3. us r c cks t docu tot ad appro s it b sig i g t 

docu t’s as it t ’s s cr t k . 

4. docu t as is tra sf rr d to t s artcard, ic tracts t do- 
cu t’s as alu agai a d cr at s t fi al sig atur . 

is proc dur diff rs fro t sta dard approac to usi g digital sig atur s i 

t o i porta t poi ts: irst, “rout ” t docu tort for b i g 

c ck d b t sig i g p rso ; s co d, assu t at t s artcard of t 
sig i g p rso a d t for a pair, ti d tog t r b t ir public k s. I 

particular, t card ill ot sig a data u 1 ss t s data r “appro d” 

b t ’s s cr t k . s all laborat t co cr t proc dur for t is 

subs qu tl . 

ri rpt rpic rtc 

H r aft r, ill us t id tifi is E a, d D for d oti g t s artcard’s 
public a d pri at k s r sp cti 1 , a d si ilarl ifpp) a d -Dpp) for t 

applicatio of a k to a ssag M, .g. cr pti g t ssag , 

ill b d ot d b K{M). 

igur 2 isuali s t co u icatio b t t co po ts for i g our 
approac : 
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— > s ds a docu t to t 

’s u cti displa s t docu t Z? a d co put s h = 

as (D). 

If t us r is s to sig t docu t, s appro s it. propos to 

ipl ttisb aigt usr trt card’s I , ic as t sid - 
ff ct t at t is us d as a I pad. 

— > rtc r s ds t ssag 

M = E (ZZpD (h, I ) 

to t card. 

I plai glis : t sig s t docu t as a d t I it its 

pri at k ad cr pts t r sulti g data it t card’s public k . 

ot , t at t CO t ts of M ca o 1 b r co struct d it t s cr t k 
D ate i g E 

r ’s u cti card d cip rs t ssag b co puti g 



{h, I )=ifpD {D (M) 



I. .: t card tracts t I a d t as h fro t ssag M usi g its 
o pri at a d t ’s public k . proc dur aborts if rificatio 

of t I fails. 

r — > card s ds iZ (h) to t , ic is t docu t as 

sig d it t card’s s cr t k . is co stitut s t fi al sig atur . 
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sig i g t data s t to t card, t assur s t aut ticit of t 

data. is is c ssar si c t s artcard ill o 1 sig a as alu t at origi- 

at s fro t . t ’s sig atur , s parat st ps for aut ticatio 

adk cagara oid d. 

t ri g t I sur s t at t sig i g proc ss is aut oris d b t o r 
of t .is addr ss s t issu t at ’s ar ot r 11 prot ct d 

agai st u aut oris d us . o prot ct t I fro attack rs i t rc pti g t 
ssag to t card, t ssag is cr pt d it t card’s public k . 

f r r t sis 

d r t assu ptio t at t a d t card of t sc ario d scrib d i 

ctio 3.2 ar trust ort , t protocol ca o 1 b attack d b a ipulati g 

data s t b t t co po ts: 

— > . attack r do s ot gai a tig fro a ipulati g D si c t 

docu t ill b c ck d b t sig r. it r do s r pla i g t is ssag , 

or pr ti g it fro arri i g off r a ad a tag to attack rs. 

^ ard. d r t assu ptio of s cur cr ptograp ic algorit sad 

suffici t k 1 gt s, t CO t ts of t ssag M is ot r co structibl . 
i c t ra g of t I is r strict d, t r is a slig t c a c t at a forg d 

ssag g ts sig d b t card, if I?pp) is ot k o .Ho r, t 
sig atur produc d ill sur 1 ot b alid for a docu t, as t as 
alu r CO struct d b t card ill b totall ra do ad ot corr spo d 

to a a i gful docu t. 

r pla of t is ssag to t card ould cr at o 1 duplicat s of t 

sig atur co put d b t card, ic is acc ptabl . locki g t co - 
u icatio b t t a d t card pr ts o 1 t g ratio of 

sig atur s. 

ard — > . i c t co pi t 1 g rat d sig atur is tra s itt d o 1 , t r 

is o a i gful attack 1 ft. sig atur ca b asil rifi d b t 
dor or a bod o is i t r st d. 

ot t at t assu ptio about t ’s trust ort i ss ad abo is ot 

c ssaril justifi d: is usuall ot a s cur s st a d is, i pri cipl , 

as as to a ipulat as a if a attack r ca t poraril co trol t d ic . 
Ho r, i practic it is c rtai 1 or difficult to attack sue a obil d ic 
t a a 

e ha e c g he P a e h he ha h cha ge h a 
See a ^^'aefP e ,ab efceaacbe eag 

b e P be be The a ache hahae-hgh -ee 

ch a ac , ce he c e f he e c e e age bee e g f be g 

e e a e 
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fr r c r f r 

I t pr ious s ctio s a s o t us ful ss of t p rso al card assi- 
sta t b gi i g a a pi applicatio - digitall sig i g docu ts i u trust d 
iro ts. till issi g is a aluatio of t practical f asibilit of our ap- 
proac a d sugg stio sot i frastructur for iro ts t at support 
s could look lik : t sc ario is suppos d to b us d i iro ts, 

r t ork arc it ctur , a sad locatio of s r rs, card r ad rs, tc. ar 
u k o , so d to a a s to i t grat t i to a local s r ic 

t ork. 

i i 

I distribut dad obil sc arios lik ours it is i porta 1 1 at co u icatio 
part rs sue as t a d a dor t r i al fi d ac ot r s a 1 ssl ad 

fRci tl . i i [5,6] is arc tl rlasdtc olog fro u icros st s 

for f d rati g t ork d ic s a d s r ic s. It plicitl addr ss s a of t 

probl si ol d arou d stablis i g spo ta ous cli t-s r r i t ractio i 

rz rz u k o iro ts. 

i i is bas dot a a faciliti s for cod s ippi g a o g diff r t a a 
irtual ac i s ( s). so-call d s r ic [7] acts as t c tral r gi- 

stratio aut orit for s r ic s. rbitrar s r ic s r gist r it t lookup s r- 
ic usi g a bootstrappi g protocol [ ] a d pro id a s rialis d a a obj ct call d 
s r i r it so additio al d script! i for atio . ot tial i i-cli ts 
CO tact t lookup s r ic to qu r for s r ic s t ar i t r st d i a d do 
load a d i ok t associat d pro obj cts. s pro i s ar t cut d 

i t irtual ac i of t cli t a d i pi t t co u icatio it t 

( ostl ) r ot i i-s r ic t r lau c d fro . 

a c os i i as a iddl ti r for d a icall stablis i g co ctio s 

b t t diff r t s r ic s t at CO pris our sc ario si c it s s to off r 
uc of t fu ctio alit d d. 

- c ri it i i fr structur 

I our sc ario isio a i i- abl d i frastructur co sisti g of a 

lookup s r ic , a , a card r ad r, a d so ot r s r ic sue as a dor’s 
t r i al. a d t card r ad r ust t s 1 s r gist r it t lookup 

s r ic to off r t s r ic s r 1 a t for t applicatio . 

I our sc ario t ould offra zz rztat displa s 

t CO tract docu t to t custo r (cf. igur 3, upp r part). If s acc pts 
t docu t aft r r adi g it o t , s i s rts r sig atur s artcard 

i to t dor’s card r ad r. r ad r r cog is s t s artcard a d r gist rs 
a z z r z it t lookup-s r ic (cf. igur 3, botto 1 ft). 

r c i s t r sp cti pro obj ct a d pass s t cr pt d a d sig d 
docu t’s as alu to t pro . pro cod s t data ads ds it 
to t s artcard (cf. igur 3, botto rig t). 
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s artcard r co structs t docu t’s as alu fro t r c i d 
data. It appli s t sig atur k to it - t us cr ati g t digital sig atur -ad 
r tur s it to t ’s pro obj ct, ic i tur r tur s t fi al sig atur 

to its cli t. 



trti ft itt ii rti 

a c os t 3 al ilot III for i pi ti g our protot p it 

si c it is i id spr ad us a d a tools ar a ailabl o t t. It off rs 

a s rial co ctio ia t cradl a d a i frar d d ic t at is co plia t to 
t Ir sta dard [9]. utur s ig t also us ir 1 ss t c ologi s sue 
as lu toot [ , ]. 

t ard ar 1 It local t ust off r a tr poi t for t 

I a cas t r ust b a poi t-of-pr set ca b co ct d to o 

t ard ar 1 1 ic i our cas is a sta dard 

i c to our k o 1 dg t r do s ’t ist a full a a 2-co plia t for 
t ilot t, d d to s parat t fu ctio alit of t ocu t ig i g 

r ic i to a i i-part ic ru s o t ost t is co ct d to, a d 

t applicatio o t ilot i pi ti g t displa gi a d t cr ptio 

algorit s. ot parts of t s r ic co u icat ia a protocol ru i g o r 
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t s rial li . H c , t r gistratio of t s r ic it t lookup s r ic is 
do o t ost, r as t s curit -critical part of t applicatio ru s o 
t ilot. 

t r ti f rtc rsitt ii rti 

s artcard r ad r d ic ca support i i it r b dir ctl i t grati g a a a 

it i t r ad r or b si pi attac i g it to a d ic ba -ate iqu 

for aki g o-aad iesa ailabl to i i f d ratio s [ 2]- or a orkstatio 
rad dicat d proc ss p rfor s i i tasks. us, it is abl to act as a 
ordi ar i i d ic , r gist ri g s r ic s to plo s artcards. 

t p s of s r ic s off r d ca ra g fro basic i t rfac s acc ssi g t pri- 

iti fu ctio s of t r ad r to sop isticat d s r ic s corr spo di g to t fu c- 

tio alit of i s rt d s artcards. is is si ilar to approac s lik t p ard 
ra ork [ 3, 4] a d / [5]. s fra orks old static i for atio 

about s artcards a d t ir s r ic s off r d. ot suppl ig -1 lit rfac s to 

applicatio s for acc ssi g s artcards as 11 as dir ct acc ss to r ad rs. 

or i i, it is d sir d to d t ct t fu ctio alit of a s artcard d a icall , 

it is i s rt d i to t r ad r. ft r t at, corr spo di g s r ic s ca b r gi- 
st r d it t lookup s r ic . s r ic pro i s s ould off r applicatio -1 1 

s r ic s ic id t c aract ristics oft ir i pi tatio o t s artcard. 

sp ciall a a s artcards a d a ic fu ctio alit , i. . appl ts ca 
b do load d to t card il ot rs ig t b d 1 t d fro t card. fortu- 

at 1 , dir ctor s r ic s k pi g track of t i stall d appl ts ar a ufactur r- 

sp cific. g ric s r ic d t ctio facilit ust tak t is i to accou t. 

(a s r-to-r s t) stri g s t b a card co ct d gi s at 1 ast static i - 

for atio about t card, .g. t a ufactur r, card t p tc. is i for atio 

ca b us d to load a proc dur (i pi t d b a a a class) fro a d dicat d 
locatio ic could, for i sta c , b a u iqu b-addr ss d p di g o t 

card’s -stri g. uc a cutabl could t ru a card-sp cific protocol to 
cr at a dir ctor of t i stall d appl ts. is i for atio ca b pass d to t 
r ad r d ic ic r gist rs corr spo di g pro i s for t applicatio s i sid 
t card it t lookup s r ic . 

a r ali d a i i s artcard s r ic ic i pi ts a pri iti i - 

t rfac to a card r ad r attac d to a orkstatio . It alio s for t c a g 
of card s (data pack ts us d i co u icatio it s artcards) ic 

is t 1 ast CO o i t rfac to all s artcards. pplicatio s ust b a ar of 

t sac rtai s artcard u d rsta ds a d cod r qu sts accord! g to 

t card’s o protocol its If. is a il li its t ra g of cards a applica- 
tio ca i t ract it . Ho r, t is pri iti i t rfac is t bas upo ic 

ig r-1 1 s r ic s ca b built. 

s artcard s r ic is r gist r d it t lookup s r ic b t orkstatio 

t card r ad r is co ct d to. ro obj cts co u icat t roug a a I 

to a s r r obj ct o t at orkstatio ic pass s t r qu sts o to t card 
r ad r. 




P -ba e Pe a a a 

. r t cti f r ic s 

ro idi g acc ss to s artcards is pot tiall da g rous i a op iro t 
lik a i i f d ratio , sp ciall off ri g a si pi s r ic lik t c a g 

of s. alicious cli t a p rfor a brut fore attack o t aut- 

ticatio cod s to t card ic ill it r r al t cod s or lock up t 

card, i. . ak it u usabl to t 1 giti at us r. It is t r for d sirabl 

t at o 1 aut oris d cli ts ca ak us of sue s r ic s. r is o sta dard 

c a is i i i ic pro id s t is ki d of s curit , t. possibl solutio 

ig t b a K rb ros-lik aut ticatio s r ic [ 6] t at ak s s r ic s a ailabl 

to trust d cli ts o 1 . 

as t ad a tag t at t (t cli t) a d t s artcard 

(t s r r) ar tig tl coupl d. s artcard acc pts o 1 aut oris d r qu sts 
ic ust b sig d b t . s parat aut ticatio s r ic is ot 

r quir d i t is cas . 

1 r 

s ar b CO i g popular d ic s, but -bas d applicatio s to sol 
s curit -r lat d probl s ar spars 1 d scrib d i t lit ratur . 

fit a t. al. [ 7] discuss portabl d-us r d ic s ( s) a d s curit 
odul saddfi a ubrofr quir ts to b ad for sue d ic s. 
obs r t at trust ort s do ot ist a d co clud t at t r for 

“t d lop t of s cur applicatio s s ould co c trat o protocols a d 

proc dur s”; pr s t d a i sta c of sue a approac . 

as a i a d o [ ] co sid r s for p rfor i g cr ptograp ic co pu- 

tatio s for 1 ctro ic o re applicatio s. ir approac diff rs fro ours 

i t at t d scrib a sc ario r t r plac s t s artcard, rat r 

t a CO pi t t card as propos . 

c tl , t af I t r t rogra i g roup at ri c to u i rsit pu- 
blis dot b i for atio about a proj ct t at ai s at i t grati g s art- 
cards ad s [ 9]; t is approac ai si a si ilar dir ctio as our approac , 
but o r suits s to a b publis d t. 

ur approac to i t grati g s artcards i to a i i-bas d i frastructur is 
r lat d to t p ard ra ork ( ) as 11 as t / arc it ctur . 

it i t s fra orks, t appi g fro stri gs (card t p s) to s r ic s 

is trigg r d fro as parat i stallatio proc ss ic i troduc s s artcards 

or c a g d fu ctio alit . ot ar r strict d to t do ai of a si gl orksta- 

tio or , rat r t a off ri g t corr spo di g s r ic s i a local t ork. 

si ilar, but or lo -1 1 approac is folio d b t ir ct t od 

I ocatio ( I) c a is propos d b plus [2 ]. a a a card 

appl t is d sig d, a it rfac is fi d fro ic a stub obj ct is cr at d. 
call to t stub is tra slat d i to s ic ar s t to t s artcard. 

r , t t od call is r co struct d a d t r sp cti t od is cut d. 
is approac id s t ast d tails of cr ati g s fro applicatio s but 
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is o 1 applicabl to applicatio s i pi t d o a a cards, tub obj cts 
could, .g. b us d to i pi t s r ic obj cts i . t d d approac 

ould b us ful for a a cards i i i iro ts: a pro obj ct could b 
auto aticall cr at d fro a a a card appl t d scriptio . s tio d i our 
sc ario d scriptio , t at obj ct ould a to b i itialis d it a c a 1 to 

t card r ad r. 

6 cl i r r 

I t is pap r a prstdt p rso al card assista t ( ) ic is 

CO pris d of t o diff rtdics- ads artcard - t at tog t r i pi - 
t a s curit -s siti applicatio . ot d ic s ar tig tl bou d tog t r 
b t public/pri at k s t s ar : t s artcard do s ot p rfor its task 
it out t a d t ca ot p rfor t task it out t Ip of t 

s artcard. 

a s o t applicabilit a d us ful ss of our approac it t 
sc ario of digitall sig i g docu ts. ur protot p do s ot o 1 rif 

t u d rl i g cr ptograp ic protocol a d its i pi tatio o t ad 

s artcard but furt r or ai s at a g ral solutio i t r s of stablis i g 

“spo ta ous” t orki g a o g t participati g d ic s usi g i i. b - 

li t at t orki g i frastructur s t at sol si ilar probl s as i i sue 
as t r ic ocatio rotocol [2 ] or t cur ir ctor r ic [22] ill 
b of CO sid rabl i porta c i t futur to abl t id spr ad us of 
-bas d applicatio s. 

ubj ct to furt r r s arc is t qu stio if t ca b appli d to 

probl sit do ai s of 1 ctro ic co rc a d 1 ctro ic cas . 

ck ts. 

ould lik to t a k r. Klaus Hub r for us ful co ts a d sugg stio s 
o a arli r rsio of t is pap r. 

f r c 
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I tr d ct 

s of p blic- cr ptograp o t I t r t as, to dat , b dri b 
t o major applicatio s: -prot ct d b pag sad / I scr -mail. 

ot of t s applicatio s tili p blic c rtificat s i t format sp cifi d 
i t X.5 9 sta dard. t pical s r c rtificat ma asil c d , b t s, 
il a c rtificat ma b t ic t at . sc rtificat si s ar ot a major 
CO c r i t d s top a d portabl iro m t, r m Itipl m gab t s 

of m mor a d ig -sp d t or co ctio s ar a ailabl . 

c tl , o r, a class of d ic s as b gai i g i pop larit for 

Itrts. sdicsicldp rso al digital assista ts ( s), c 11 lar 

p o s, pag rs a d ot r s c d ic s. s t picall a limit d m mor a d 
a ir 1 ss t or i t rfac of r lati 1 lo ba d idt . or t s d ic s stori g 
a d tra smitti g c rtificat s a d c ai s of c rtificat s, r ac c rtificat 

c ds a ilob t , ma b probl matic (c.f. [2 ], [ ], [ 9]). 

ot r ar a r larg footpri t c rtificat s ma cr at diffic Iti s is i t 
s of smart cards i co j ctio it p blic- i frastr ct r s. obil s rs 
ma is to s t sam s t of cr d tial it m Itipl s st ms. mart cards 

off r t possibilit of tr 1 portabl cr d tials b r mo i g t cr d tials 

from t d s top a d stori gad sigt m iti t scrp rim t r of t 
smart card. ost smart cards a r lati 1 small m mori s, t picall a f 

ilob t s, a d a lo ba d idt 1/ co ctio to t card r ad r. H r , as i 

t cas of ir 1 ss d ic s, t tra sf r a d storag of sig ifica t mb rs of 

“ a ig t” c rtificat s is ot iabl . 

If s c r m ssagi g a d I t r t -comm rc ar to b t d d i to to- 
da ’s ir 1 ss d ic s a d smart cards, a mor compact r pr s tatio of t 
i formatio i isti g p blic- c rtificat s is r q ir d. 

ghe ec eeef e eagee e, cae 

e a e ed ce fica e e e , e c 
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Is d r t r f r mp ct rt c t s 

most ob io s goal for a compact c rtificat 1st at it b compact, t r goals 
i cl d limit d r so rc r q ir m ts for proc ssi g t c rtificat , mai t a c 
of ad q at s c rit , a d compatibilit it isti g c rtificat -bas d s r ic s 
a d applicatio s. 



2. due d tpri t 

I d fi i g a compact c rtificat format d to r d c t storag r q i- 

r m ts for t c rtificat , b t it o t losi g t f ctio alit t at ma s t 
c rtificat mai gf lad sfl. c rtificat m st, it i a appropriat 
CO t t, id tif t old r of t p blic . It m st also pro id a s c r 
bi di g b t t a d its old r. 

combi atio of pr d t s c rit practic sad digital sig at r 1 gislatio 
(c.f. [4]) is mo i gt i d str to ardamod 1 r ac s r as diff r t s 
for cr ptio , a t ticatio , a d o -r p diatio . pla sibl goal, t r for , 
o Id b t storag of t r diff r t pri at s a d t corr spo di g p blic- 

c rtificat si ad ic it fo r ilob t s of m mor . If ass m t at 

t d ic ill do ilob t for basic op ratio a d tra si t applicatio 
data, a d t at t pri at sad associat d param t rs ill occ p a ot r 

ilob t , ar 1 ft it t o ilob t s of storag for t c rtificat s. is limits 

t a rag si of a c rtificat to j st abo o alf of o ilob t or 5 2 
b t s. 



2.2 imit d r c ssi g quir m ts 

I d lopi g soft ar , it is oft possibl to r d c t m mor r q ir m ts 

of a applicatio b i cr asi g t proc ssi g tim . is t p of tim -m mor 

trad off ca ot b s d t si 1 for compact c rtificat s, si c d ic s t at 
a r strict d m mor si ar also li 1 to a r limit d proc ssi g po r. 

I additio to t b rd o t co strai d d ic , additio al comp tatio 

r q ir m ts ma also ca s probl ms for applicatio s r rs t at i t ract it 
t s d ic s. il applicatio s r rs ar fr of t m mor a d proc ssi g 
limitatio s of ir 1 ss d ic s a d smart cards, t m st p rform op ratio s o 
b alf of a larg mb r of d ic s i a small amo t of tim . sig ifica t 
i cr as i t tim r q ir d to proc ss a c rtificat co Id impair t s r r’s 
abilit to proc ss tra sactio s at t d d rat . 

om additio al proc ssi g, abo t at r q ir d for isti g X.5 9 c rtifi- 
cat s, ma b r q ir d. I partic lar, a mor comp tatio all i t si data 

codi g m t od ma b s d. is additio al proc ssi g r q ir d for co- 

di g s o Id b small i compariso to t at r q ir d for p blic or pri at 
op ratio s. 




a ad 



a d 



2.3 curit 

blic c rtificat s ar s d to pro id a s c r bi di g b t a tit 
a d its p blic . modificatio to t c rtificat format m st pro id at 
1 ast t sam 1 1 of s c rit as isti g c rtificat s. 

s a ampl , it is t mpti g to co sid r r d ci g t mod 1 s si of t 
p blic/pri at pair. is ca all b accomplis d it o t sig ifica tc a g s 
to isti g i frastr ct r , b t fort at 1 , mod li ar c os for t ir s c rit 
a d a s bsta tial r d ctio o Id cr at s t at ca pro id o 1 s ort-t rm 
s c rit . 

I a format, t s c rit of t data r pr s tatio m st b ami- 

d as 11. ig at r s m st b prop rl padd d to a oid possibl forg r , a d 
param t r sp cificatio s m st a s ffid t i t grit prot ctio to a oid s b- 
stit tio attac s. 



2. mp ti ilit it isti g I fr structur 

o t t t possibl , compact c rtificat s s o Id or i t rc a g abl it 

isti g X.5 9 c rtificat s i isti g applicatio s i ord r to 1 rag o t 

isti g i frastr ct r . format t at r q ir s ol sal c a g s to t 

bro s r, s r r, a d i frastr ct r is li 1 to b id 1 adopt d. 



3 t t s f mp ct rt c t ct t s 

d fi i g a “X.5 9 compatibl c rtificat ” as a c rtificat ic is a 

codi g [24] of a sig d . [23] al ic s tacticall is compatibl 

it t s ta d fi d i [22], it is possibl to c aract ri compact c rtificat 
approac s i to ario s class s, as folio s: 

X.5 9-compatibl b t co strai d c rtificat s; 
o X.5 9-compatibl c rtificat s co rtibl to X.5 9 compatibl ; 
o X.5 9-compatibl c rtificat s ot possibl to co rt to X.5 9 compa- 
tibl ; a d 

approac s r pr s ti g paradigms. 

is s ctio pr s ts a s r of approac s, classifi d it r gards to t is mo- 
d 1. 



3. .5 - mp ti 1 mp ct rti c t ppr c s 

dis lit rmi 1 p ci c ti s. s sp cificatio s, cr at d 
b t dis g c for dmi istrati lopm t (“ tats o tor t”), ar 

a famil of i t rfac sp cificatio s t at forms a s c rit arc it ct r for I - 
s st ms, ta i g d- s r or statio s as a basis. basic co c pt i t is arc i- 
t ct r is d- s r a t ticatio , a d for t is r aso , I cards ar to b s d 
r possibl . i c t s sp cificatio s r d lop d i t arl ’9 s. 
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a d storag spac o I cards r mor co strai d t t a it is o , 

som trie s r s d i ord r to fit d- s r c rtificat sot s cards. 

- [2] sp cificatio r q ir s d s rs to a at 1 ast t o c rtifi- 
cat sot ir cards, o for a t ticatio ad c a g p rpos s, a d t 

ot r for digital sig at r p rpos s. stori g fi Ids commo to bot c rtifica- 
t si ac rtai fil , (“ rt” for 1 m tar il ommo rtificat data), 

som sa i gs ar possibl . commo fi Ids ar c rtificat rsio , sig at r 
algorit m, iss r am , alidit , a d s bj ct am . t r fi Ids (c rtificat s - 

rial mb r, p blic a d sig at r ) ar stor d s parat 1 for ac c rtificat , 
it a possibilit to o rrid t commo fi Ids. or t o X.5 9 c rtificat s of 
5 b t s ac ( - ass m s 5 2-bit s), t is ormall i Ids a 

3 % sa i g (t commo c rtificat data fil ill b appro imat 13 b t s 

a d i di id al data appro imat 1 2 b t s). 



3.2 .5 - mp ti 1 rti c t s rti It .5 

rti c t s 

mpr ssd rticts. cr 1 ctro ic ra sactio proto- 

col [ 6] is s d to s c r 1 proc ss cr dit card tra sactio sort Itrt. 

s r is a t ticat d si g a c ai of X.5 9 c rtificat s, from t d s r 
t ro g a 11-d fi d i rare to a si gl root c rtificat . c a c rtifi- 
cat c ai , stor d i X.5 9 format it r pr s tatio ma r q ir 

b t fo r a d ig t ilob t s of storag . or i g gro p as propos d [ 9] 
a m t od for compr ssi g t s c rtificat c ai s to ma t ms itabl for 

storag i smart cards. 

or i g gro p proposal ac i s most of its sa i gs b ploiti g 
t prop rti s of t c rtificat c ai . i c a c rtificat is al a s pr c d d i t 

c ai b its iss r, t iss r am a d p blic algorit m i formatio ma 

b omitt d from t stor d c rtificat . r s Iti g r pr s tatio , i 
otatio , is as folio s: 

SETCardChain : : = SEQUENCE { 

version INTEGER { ccl(l) } DEFAULT ccl, 



root 


RootCertif icate , 


— Root CA 


bca 


CompressedCertif icate , 


— Brand CA 


gca 


CompressedCertif icate OPTIONAL, 


— Geo-political CA 


cca 


CompressedCertif icate , 


— Cardholder CA 


ch 


CompressedCertif icate 


— Cardholder 



} 

RootCertif icate ::= CHOICE { 

iRoot INTEGER, — Identifies generation of root certificate 
cRoot CompressedCertif icate 



} 
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CompressedCertif icate : := SEQUENCE { 

version INTEGER { v3(2) } DEFAULT v3, 

serialNumber INTEGER (0..MAX), 
signature CAIgorithmIdentif ier 

DEFAULT shalWithRSAEncryption, 
validity CValidity, 

subject CompressedNcmie (SIZE(1 . . 5) ) , 

subjectPKI CSubjectPublicKeyInf o , 
extensions CExtensions, 
signed Signed 

} 

t pical c rtificat c ai comprisi g of 4 1 Is (omitti g t optio al 
o-political ), i compr ss d form, a d cod d si g t ac d codi g 

1 s ( ) from [25], ca b r pr s t d i 1 ss t a 2, b t s. is m t od 

or s Hit 11 d fi d i rare of , b t it ma ot b sabl i 

applicatio s r t i rare is mor compl ad r t pat from 

t s r c rtificat to t root is ot as ob io s. 

r m t ri d rti c t s . ord a d olo r c tl propos d [7] a alt r- 
ati to X9.6 . proposal as i t d d as a alt r ati to I’s X9.6 
ffort at t tim . proposal dfis r m ri r i sasa X.5 9 
c rtificat i ol i g t o s parat co str cts: 

c rtificat t mplat , ic is commo to a famil of c rtificat s all of 

ic a t sam al s i c rtai fi Ids or s b-fi Ids of t c rtificat 

(t ot r fi Ids ar co sid r d param t ri d); a d 

mi i-c rtificat , ic s ppli s al s for t param t ri d fi Ids of t 
c rtificat t mplat , corr spo di g to o partic lar c rtificat i sta c . 

ortabl cli t d ic s d stor a d tra smit o 1 t mi i-c rtificat . 

c i rs ar ass m d to a acc ss to t c rtificat t mplat ad d to 
r CO str ct t origi al c rtificat from t t mplat a d t mi i-c rtificat 

b for alidatio . proposal do s ot d scrib t codi g of t mplat s 
a d mi i-c rtificat s, b t m tio s t at X co Id b s d, or - cod d 
at r t sol tio , r c i rs a to b abl to r -co str ct t 
origi al - cod d X.5 9 c rtificat from its parts. 

s is appar t from t is d scriptio , t is proposal is r similar to t 

t c iq d scrib d i ctio 3. , b t it b lo gs i a diff r t cat gor i o r 

X.5 9-compatibilit mod 1 si c t d to b co rt d b for b i g s d b 

ordi ar X.5 9-c rtificat proc ssi g s st ms. 

mpr ss d rti cts. p r aps most ob io s m t od for ac i i g 

small r c rtificat s is of co rs to appl compr ssio algorit ms to - cod d 

c rtificat s. sts p rform d b t at ors it X.5 9 c rtificat s co tai i g 

24-bit a d 2 4 -bit s r als o r t at t r d ctio is fairl small 
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(~ %) 1 ss t c rtificat co tai s lo g disti g is d am s or t sio s 

it lot of r d da c . approac as propos d at t 99 K or s op 

[ 4] for storag of c rtificat so cr ptograp ic to s, b t as r j ct d d 
to t rat r mi imal sa i gs a d probl ms of fi di g pat t- c mb r d 
compr ssio algorit ms ( ic s all is a goal i t K proc ss) . 

3.3 .5 - mp ti 1 rti c t s t rti It .5 

rti c t s 

I. impl blic K I frastr ct r ( KI, [6]) or i g gro p of t 

I asp blis das t of drafts t at d scrib a alt r ati toX.5 9 c rtifica- 

t s bas do a diff rti of t p rpos of c rtificat s. KI p ilosop 

olds t at bi di g titi sit p sical orld to sit digital orld is 

ot a sol abl probl m. I st ad, KI foe s s o assig i g a t ori atio s to 
s a d d 1 gati g t os a t ori atio s to ot r s. 

KI also aba do s t att mpt to d fi globall iq , X.5 st 1 am s 
for all titi s. KI am s s t I [ 5] ami g s st m, r all am s 

ar d fi d i t rms of a local am spac . am spac s ma b st d a d li d 

tog t r to CO r larg r domai s. p blic of a s r am d “ o mit ” 

it gi ri g d partm t of t “ cm ” corporatio mig tbrfr edas 
“ cm ’s gi ri g’s jsmit p blic ma b r f r c d ma diff r t 

a s, t ro g ma diff r t am spac s, b t it al a s r sol s to t sam 

al . 

KI s ta is a d part r from X.5 9 as 11. 1 st ad of t sta dard 
s ta , KI s s - pr ssio s similar to t os s d i t isp programmi g 
la g ag . s pr ssio s ma b r pr s t d i a otatio t at 

mp asi s r adabilit , or i a i form, ic is bas -64 cod dad mor 
ffici t for storag a d tra smissio . 11 pr ssio s ar r d c d to ca o ical 

form b for a proc ssi g, i cl di g as i g or sig i g. 

KI c rts off r s ral possibl a s of sa i g m mor . ri cipals ma 
b r pr s t d dir ctl as s, it o d for a form of am . am s 
ar r lati to a local am spac a d ma b s ort r t a X.5 disti g is d 

am s. i all , s ma b i cl d d as as s rat r t a compl t al s. 

pr s ti g iss rs a d s bj cts as p blic sol, it o t am s, do sa 
som m mor spac (a t pical sc KI c rtificat , r pr s ti g a pri cipal as 
a 24-bit p blic , d cod sit ca o ical form to ~3 b t s), b t 

it ma pro i co it for ma s rs i ma applicatio s. If a ma 

r adabl am is r q ir d, it m st b pt i a ot re rtificat , gati g a 

sa i gs i spac . 

si g local am spac s also sa s co sid rabl m mor o r f 11 X.5 di- 
sti g is d am s, b t o 1 for local applicatio s. I t r t- id applicatio 
ill d a i rare ical am spac t at ill b comparabl i compl it to 
X.5 [2 ]. 

s of as s rat r t a f 11 p blic al s ca ma t c r- 
tificat CO sid rabl small r, sp ciall for larg mod li. is o r, ass m s 
t at t p blic its If is a ailabl Is r . If stor t p blic o tsid 
t c rtificat , t total m mor sag i cr as s rat r t a d cr as s. 
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0 s mmari , KI off rs sig ifica t fRci c for local, -c trie appli- 
catio s. or larg -seal applicatio s, r ma -r adabl am s ar r q ir d, 
it do s ot r pr s t a gr at d al of sa i gs o r X.5 9. 

1 .6 . s a r s It of r q sts from t ba i g i d str ad dors 

of q ipm t it limit d storag capabilit , I r c tl start da or 
it m, X9.6 , it a goal to sp df compact c rtificat s. folio i gd scriptio 
is bas dot ig t draft of X9.6 , a ailabl i 999 ([2 ]). 

compact c rtificat mod 1 d fi d i X9.6 is ori t d to ards a co pi 
of sp dfic sag sc arios, s c as: 

acco t-bas d fi a dal tra sactio s st ms; a d 

ffid t CO trol a d rig ts distrib tio s for i formatio -proc ssi g s st ms. 

It is CO sid r d li 1 t at t s cat gori s ill mplo comm icatio s it 

r so re -limit d mobil d ic s or s st ms a i g a ig ol m of tra sactio s. 

X9.6 plicitl stat s t at t d fi d compact c rtificat t p is ot i - 

t d d for g ral-p rpos c rtificatio , b t cr at d to alio b si ss s to s 

p blic- t c olog i a ffici t ma r ( .g. for tra sactio a d acco t 

a dli g). rollm ti to X9.6 -bas d domai s ma b carri dot it X.5 9 
3 id tit c rtificat s b t is ot r gard d as a r q ir m t. art t o of X9.6 
[29] d scrib s i t r-op ratio it X.5 9: Ho to i cl d X9.6 c rtificat s i 

X.5 9 r ocatio lists, o to map b t X9.6 c rtificat sad X.5 9 c rtifi- 
cat s, a d a possibl a to co rt from X9.6 c rtificat s to X.5 9 c rtificat s. 

latt rrqirs o rt X.5 9 c rtificat sig at r to b stor d i sid 

t X9.6 c rtificat ad c a good d al of compact ss is lost. 

X9.6 mod 1 s parat s KIs i to mis, r ac domai is d fi d 

b a root t at d fi s t polici s, t p blic- s st m a d param t rs 
t at s all b s d i t domai . i c t s param t rs ill b o (t ro g 
t root ’s c rtificat ), d- tit c rtificat s do ot a to carr t m. 
domai r i i r is d fi d as t as of t ’s p blic . is ill 

s r t at diff r t domai s ill a diff r t root id tifi rs. d- titi s (or 

1 af- titi s it X9.6 t rmi olog ) ar id tifi d it i i rs, ic 

ar o 1 alid i sid a domai a d co Id b acco t mb rs tc. ocal id tifi rs 

m st b iq it i a domai . combi i g local id tifi rs it domai 
root id tifi rs it is possibl to co str ct i i i rs for all 

m mb rs of all X9.6 domai s. 

ac domai m st a at 1 ast o omai gistratio t orit ( ), 

r spo sibl for t ri g m mb rs i to t domai ; at 1 ast o omai rti- 
ficatio t orit ( ) r spo sibl for c rtificat ma ag m t; a d ma i 

additio a o or mor omai ttrib t t oriti s ( ) r spo sibl for 

iss i g attrib t c rtificat s. 

c rr t draft i dicat s t at a c rtificat alidatio s r ic i ac do- 
mai is a ticipat d, a d co tai s a partial sp cificatio of m ssag s for s c a 

Th h d bab ead ge e a e de fica 
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s r ic . disti ctio is mad b t i r mi alidatio s r rs a d z r 
m i alidatio s r rs. i r mi alidatio s r r is o 1 r q ir d to 
a dl t algorit ms d fi d i its o domai . rtificat alidatio s r ic 
cli ts CO tact i t r-domai alidatio s r rs cross-c rtificat s d to b 

alidat d. i r m i alidatio s r r is t r for r q ir d to r cog i 

ad a dl algorit ms from all domai s it r cog i s from a cross-c rtificatio 
sta dpoi t as 11. I additio to sig d r spo s s li [ 2], X9.6 also 

a ticipat s iro m ts i ic sig d r q sts to alidatio s r rs ar r - 

q ir d. form of r ocatio lists, call d r i s s is s is d fi d, it 

s ta similar to t X.5 9 t p Certif icateList. for i r 

i i s is also dfi d, tob sdo as bscriptio basis. 

d- titi s ar ot p ct d to s d s r rs t ir c rtificat s a t- 

ticati g; i st ad, t ill s d t ir local id tifi rs, ass mi g t at s r rs 

ill a appropriat acc ss to c rtificat r positori s. ttrib t c rtificat s ( ot 

p blic- b ari g) ar p ct d to b s d r s itabl . 

c rtificat s ta is d fi d i . b t ot at all compatibl it 

X.5 9. r is a s parat s ta for root -c rtificat s, -c rtificat s, cross- 
c rtificat s a d 1 af- tit c rtificat s. ttrib t c rtificat s a d p blic- b a- 

ri g 1 af c rtificat s s ar t sam s ta (a p blic is tr at d as a at- 
trib t ). p cific attrib t s ar to b i cl d d from X9.59 [26]. i t r sti g 
t i g to ot is t at it is optio al for a to i cl d alidit p riods i is- 
s d c rtificat s. I st ad, s ca i cl d t iss i g tim i t c rtificat , 
1 a i g t d cisio of c rtificat alidit p riods to rifi rs, similar to t mo- 
d 1 d scrib d i [6]. codi g is appar tl alio d, i Idi g som f rt r 

compr ssio . 

I s mmar , t mai co c pts i X9.6 ar t otio of domai s, i ic 

ac domai as its o p blic s st m a d associat d param t rs, a d 
t s of local id tifi rs i st ad of t (it d d) global am spac of X.5 9 

c rtificat s. domai co c pt is said to simplif larg ol m tra sactio s 

a d s of KIs i r so rc -co strai d iro m ts. 

It as b r port d b t ditor of X9.6 [ ] t at p blic- b ari g c rti- 
ficat s of t is t p ca b as small as 2 b t s, b t cl ari t is i dicat s sag 
of lliptic r ( ) algorit ms. ss mi g a 6 -bit p blic a d a sig- 

at r mad it a of t sam si , t is m a s t at a X9.6 c rtificat 
it a 24-bit p blic a d it a sig at r mad it a of t 
sam si ill b appro imat 13 b t s. 

rti c t s. ir 1 ss pplicatio rotocol or m (cf. 

[ ]) is a m mb rs ip orga i atio d ot d to d lop protocols a d applica- 

tio s for ir 1 ss d ic s s c as mobil p o sad palmtop d ic s. i c 

comm icatio it t s d ic s is ba d idt co strai d, a s t of lig t ig t 
rsio s of sta dard protocols as b d fi d for t is iro m t. 

mo g t s protocols is [5]. rsio of is call d 

[2 ] , a d i t is rsio of a sp cial i d of s r r c rtificat , call d 
r i isbigsd. c rtificat s ar a compact form of X.5 9 c rtifi- 

cat s, ic CO tai s pport for all X.5 9 c rtificat fi Ids b t o 1 a small 
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s bs t of p blic algorit ms. codi g of t sc rtificat s is r similar 

to X [ 7] a d is q it fRci t. cl di g t si of s bj ct a d iss r am s, 
a ordi ar s r r c rtificat co tai i g a 24 bit a d a i g 

b sig d it a 24 bit ill i its cod d form b appro imat 1 

3 b t s or 1 ss. is is almost as small as - cod d X9.6 c rtificat s if 

s bj ct a d iss r am s ar r aso abl lo g. 

or m t rm for d- titi s is s s ri rs, a d o importa t ob- 

j cti of t arc it ct r is to abl s c r id tificatio of s bscrib rs to 

s r ic s. or t is r aso , s bscrib rs ill b iss d I cards ( I cards, 
“ bscrib r Id tificatio od 1 ”), ic ar to b i s rt d i p o s. 

cards ill co tai s bscrib r c rtificat s t at ar to b s d i cli t-sid a t- 
ticatio s. rr tl , alio s t s d- tit c rtificat s to b X.5 9 

c rtificat s, c rtificat s or X9.6 c rtificat s. 



3. mp ct rti c t ppr c s pr s ti g r digms 

rtic m Implicit rti c t s . rticom as r c tl (c.f. [ ]) pr s - 

t d a c rtificat co c pt, im i i r i s (or r i s), off ri g a 

r small footpri t a d, all g dl , s bsta tial comp tatio al sa i gs. Implicit 
c rtificat s ar d fi d for s it lliptic r ( ) cr pto-s st ms, alt o g 

ot r cr pto-s st ms ar also co c i abl (b t i t c rr t form ot ). 

of t mai diff rcsbt tsc rtificat sad traditio al o s 
is t at li traditio al c rtificat s, implicit c rtificat s bi d titi s to t ir 
pri at s o 1 aft r t s t ir pri at s, si c t ar r all j st a 
combi atio of a sig at r a d a p blic 

I s ort, to cr at a implicit c rtificat , a d fi s t domai , i. . 

t fild acr ortisfildad som bas poi to (it ord r 
). rt rmor , t s 1 cts a ra dom i t g r ( [ — ]) as its pri at 

a d p blis s its p blic . tit , is i g to r c i a implicit 

c rtificat , s ds its id tit tog t r it a poi 1 1 to t (^ [ ~ 

]). , aft r a i g alidat d t id tit of a d t , s 1 cts a ra dom k 

{k [ — ]) a d comp ts 7 = t-|-A:ad= ( 7 )-|-fco 

ftr aigrci d ad 7 from t , ca comp t its pri at as 

= t+ o a d t p blic as = t + . ’s implicit c rtificat is 

a d 7 . rtificat rificatio is do b rif i g t at = ( 7) + 

7 , a d ass ra c abo 1 1 p blic ill b gi o c t pri at as b 
s d. 

si of t s implicit c rtificat s ill b t s m of t si of 

( ic ca b p rc i d as a traditio al c rtificat it o t a sig at r a d a 

p blic ) a d t si of 7 , ic ill b a poi t o 

poi t 7 ill probabl aro d 2 b t s if 6 -bit c r s ar b i g s d. If 
is d fi d i . ( ic is ot c ssar ), t t pical si , 

cod d, ill pr s mabl b aro d 6 - 2 b t s, ic impli s a total storag 

rqirmtof -4bts for implicit c rtificat s i most cas s. 
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ig at r rificatio as a add d ad a tag of j st r q iri g o poi t 

m Itiplicatio , b t o m st b ar i mi d t at t is arc it ct r ill r q ir 

s bsta tial c a g s to c rr t i frastr ct r s i ord r to b accommodat d. 

similar co str ctio as b pr s t d b . ra i ([ ]). 

3.5 ltd cti iti s 

i c q it a bit of t si of X.5 9 c rtificat s ca b attrib t d to t s of 
lo g obj ct id tifi rs, t otio of r i j i z rs as b disc ss d 
lat 1 it i t joi t I /I /I - . or i g gro p. s t am 

impli s, t s obj ct id tifi rs ar r lati to t o t rmost pr io s f 11 obj ct 
id tifi r i a c rtai str ct r , .g. a disti g is d am . o sist t s of t s 
id tifi rs co Id, i ma circ msta c s, r d c t si of X.5 9 c rtificat s b 

- 5% (s b lo ). 



SS 1 ppr c t t r m r f . 

folio i g d sig goals, bas d o obj cti s d scrib d i [7] a b s d 
as a basis it or d scrib d r : 



tai all t s ma tics of X.5 9 c a g d; 

llo a c rtificat co s mi g applicatio to a iform c rtificat pro- 

c ssi g logic, i. ., X.5 9-bas d alidatio logic for all c rtificat s, i cl di g 

compact c rtificat s; 

llo s of mor ffid t codi gs of t c rtificat for storag a d com- 
m icatio i t os iro m ts i ic - cod d X.5 9 c rtificat s 

o Id CO stit t p rforma c probl ms; a d 

rag t i stall d bas of X.5 9 prod cts a d i frastr ct r as m c as 

possibl . 



r approac as b to co strai c rtai fi Ids i t X.5 9 d fi itio of 
c rtificat s, a d b doi g t is ac i a mor compact form of c rtificat s il 
mai tai i g basic compatibilit . H c , c rtificat s iss d i accorda c it t 
profil dfi d rsoldb dir cti sabl i sta dard X.5 9-bas d iro - 
m ts. it t c ptio fort abs c of X.5 9’s authorityKeyIdentifier 
c rtificat t sio , d- tit c rtificat s s o Id b complia t it t c r- 
tificat profil d fi d i [9] as 11. r c rtificat format is also 11 s it d 
for - codi g, i Idi g f rt r compr ssio . s ta is d fi d i 

a d pr s t d b lo . 



CompactCertif icate 
version 
serialNumber 
signature 

issuer 



SIGNED { SEQUENCE { 

[0] EXPLICIT CompactVersion DEFAULT vl, 
CompactCertif icateSerialNumber, 
CompactAIgorithmldentif ier 

{{CompactSignatureAIgorithms}} , 
CompactNcune , 
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validity CompactValidity , 

subject CompactNcune , 

subjectPublicKeyInf o CompactSubjectPublicKeyInf o, 
extensions [3] EXPLICIT SEQUENCE 

SIZE (1. . compact-certs-ub-extensions) 
OF CompactExtension 

}} 

SIGNED param t ri dtp is import d from X.5 9. 

. CompactVersion p 

CompactVersion ::= INTEGER {vl (0) , v2(l) , v3(2) }(vl I v2 I v3 , . . . ) 

CompactVersion t p is q i al t to t X.5 9 Version t p , a d s all 
b s t to v3 if a t sio s ar pr s t 

.2 CompactCertif icateSerialNumber p 

CompactCertif icateSerialNumber ::= INTEGER (1 .. 2147483647) 

CompactCertif icateSerialNumber t p is q i al t to t X.5 9 
Certif icateSerialNumber t p ,b too strai d to s rial mb rs 1 ss t a 32 
bits lo g. is gi s appro imat 1 2 billio c rtificat s p r , ic s o Id b 
s ffici t. CO strai t, il ot gi i g a spac -sa i gs for - cod d 
c rtificat s, is - isibl a d ill a a impact o - cod d c rtificat 
si s. 



.3 CompactAlgorithmIdentif ier p 

CompactAlgorithmIdentif ier {ALGORITHM: lOSet} ::= SEQUENCE { 
algorithm ALGORITHM. &id ({lOSet}) , 

parameters ALGORITHM . &Type ({IOSet}{@algorithm}) OPTIONAL 

} 

is t p is q i al t to t Algorithmidentif ier t p d fi d i X.5 9. 
CompactName p 

CompactName : := SEQUENCE SIZE (1 . . compact-certs-ub-depth) OF 
CompactRelativeDistinguishedNcune 

CompactRelativeDistinguishedName ::= SET SIZE 

(1 . . compact-certs-ub-width) OF CompactAttributeTypeAndValue 

CompactAttributeTypeAndValue ::= SEQUENCE { 

type ATTRIBUTE. &id ({Compact Attributes}) , 
value ATTRIBUTE . &Type ({Compact Attributes}{@type}) 
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is t p is a r strict d rsio of t Name t p d fi d i [2 ]. Impos d 
r strictio s ar : 

a pp r bo dot mb r of r lati disti g is d am compo ts 
(d pt ) i a am ; a d 

a pp r o t mb r of compo ts i a r lati disti g is d am 
( idt ). 

s r strictio s ar ot o 1 (ob io si ) r strict! g t si of cod d 
data, b t also - isibl , ma i g - codi g of ompact am al s 
mor compact. 

t s also d fi o attrib t for si co j ctio it CompactNames: 

compact Identifier ATTRIBUTE ;:= { 

WITH SYNTAX Compactidentif ier 
EQUALITY MATCHING RULE octetStringMatch 
SINGLE VALUE TRUE 

ID compact-cert s-at-compact Identifier 

} 

Compactidentif ier ;:= OCTET STRING (SIZE(20)) — Could be key hash 

CompactAttributes ATTRIBUTE ::= { 

Compactidentif ier , 

... — For future extensions 



i t tio is t at al s of t p compactidentif ier ill co tai iq 

id tifi rs for titi s. basi g disti g is d am so t s id tifi rs, a d 

basi g t id tifi rs o as s, o ac i s a arc it ct r similar to t 

o d scrib d i [6]. 



.5 CompactValidity p 



CompactValidity ::= SEQUENCE { 

notBefore [UNIVERSAL 23] VisibleString 

(FROM ("0". . "9" I "Z")'SIZE(13)) , 
notAfter [UNIVERSAL 23] VisibleString 

(FROM ("0". . "9" I "Z")"SIZE(13)) 



} 



is t p is a CO strai d rsio of t Validity t p d fi d i X.5 9. 
CO strai ts ar - isibl , i Idi g som compr ssio i t cas of 
codi g. 
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.6 CompactSubjectPublicKeyInfo p 

CompactSubjectPublicKeyInf o ;:= SEQUENCE { 

algorithm CompactAlgorithmldentif ier 

{{CompactPublicKeyAlgorithms}} , 
subjectPublicKey BIT STRING (SIZE(80 . . 2192) ) 

} 

is t p is a CO strai d rsio oft corr spo di g t p d fi di X.5 9. 
si CO strai tot bit stri g, il ot a limitatio i a practical cas , 
is - isibl ad i Ids som compr ssio i t cas of - codi g. 

.7 CompactExtension p 

CompactExtension : ;= SEQUENCE { 

extnid EXTENSION. &id ({CompactExtensionSet}) , 
critical BOOLEAN DEFAULT FALSE, 
extnValue OCTET STRING 

} (CONSTRAINED BY { — Shall contain a value of type 

— EXTENSION . feExtnType for the extension object 

— identified by extnid — }) 

EXTENSION obj ct class is import d from X.5 9. CompactExtension 
t p is q i al t it t corr spo di g t p d fi d i X.5 9, c pt for t 
fact t at do ot r q ir t al i sid t extnValue OCTET STRING to 

b - cod d. is gi s a opport it for mor ffic t codi gs of pro- 
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“compr ss d” p blic s (c.f. [ ]); a d 

“compr ss d” p blic s (c.f. [27]). 

rtificat s r sig d it a corr spo di g to t s bj ct’s p blic 

( 63 bit or a 24 bit ) . ct al al s of ampl c rtificat s 

ma b fo d i pp di (it al otatio d fi d i [23]). 

compariso of t sc rtificat si s it similar c rtificat s i t X9.6 

proposal SOS, ot s rprisi gl , t at X9.6 c rtificat s ar small r (appro ima- 
t 1 6 b t s i t cas a d 95 b t s i t cas ). ast majorit 

of t is (appro . 75%) is d to t s of obj ct id tifi rs to disti g is at- 
trib t s, algorit ms ad t sio s. s mor i formatio is add d to t to 
t p s of c rtificat s, t ill gro at ro g 1 t sam rat , o r. or mor 
i formatio abo t t is, s [3]. 

cl s s d t r r 

a d scrib da alt r ati c rtificat s ta , g rati g compact c rtifi- 

cat s. s ta is f 11 compatibl it t c rtificat s ta d fi d i X.5 9 
3. ompar d to .g. draft of I X9.6 , t s ta do s ot sacrific i - 
t rop rabilit , b t 1 rag s o isti g p ri c s a d impl m tatio s. 

pric for t is is slig tl larg r c rtificat s t a for o -X.5 9 compatibl appro- 

ac s, b t do ot b li t is diff r c to b a limiti g factor. I partic lar, 

st d i g t o -goi g d lopm tad ol tio of storag t c olog , it 

s ms fairl cl ar t at t is small diff r c ill a o 1 mi or impact o f t r 
s st ms. rt rmor , t is storag disad a tag ca b som at r m di d b 
si g - codi g i st ad of - codi g as 11. If t sig at r is do 
o t - cod d c rtificat , a c rtificat -proc ssi g s st m ill o 1 a to 

r -g rat t - codi g from t - codi g b for sag . It is a i - 

t r sti g rcis to i stigat o m c or (a d tra c rtificat -proc ssi g 
cod ) t is o Id r q ir . 

It ma s m t at t ad a c of t c olog ill ob iat t d for compact 

c rtificat s, si c lo - d d ic s ill a bot i cr as d storag a d fast r 
proc ssors. is is ot c ssaril t cas , o r, si c t i cr as d s of 
p blic t c olog is li 1 to r q ir t at d ic s stor a larg r mb r of 
s a d s c rit r q ir m ts ma i cr as t 1 gt s of t os s. 
ompact profil s for c rtificat s for partic lar applicatio s d to b co si- 
d r d as t os applicatio s ar d lop d. It ma also b s f 1 to st d som 

mor radical optio s, s c as i cl di g m Itipl p blic s, ac it its o 

attrib t s, i a si gl c rtificat . rtificat compr ssio soldb a sflara 
of r s arc for ma ars. 



f r c s 



a , e fica 

ee g a ab e f 



f D 
h 



g 



e , 

e 



S b 



eee g g 



P 



g 




ad a a d 





S , e 


a 


Sec a e S ec fica 


e face 


: ca d ca d 




eade , c e 


T 


R , S a e S ed h 


ge 


c 


f d a 




e De e e 


1 


4 










D eh. 


ca 


h RS ab , eb a 








4 


de ag, D g a 


S g a e a , S 8 , 


5 




, g h a 




a a a ab e a 


h : 


e c 








5 


T D e , e 


, The T S P c e 


T 


R 


4 , a a 




, e a , 


SP 


e fica e The , 


g e 




T SP 




e 

d, D S , 


Pa a 


e e ed e fica e : b 




X 


8 h ce 




fica e ec , 


b 


S X 


ee 


g, 




8 


R e ge , P a e 


c 


ca , eb a 










R eea. 


e 


eX5 Pbce fa c 


e 


e 


fica e a d R 



Pfie, TR 45, aa 

P g, The e e ca P c P , P ceed g f RS Da a 

Sec fe e ce , Sa e, US , a a 



e a, e e a g RS d h a P ede e ed P , d a ce 







g 


S RYPT 8, 


S, S 


ge 


e 


ag. 


c be 8 




e 


, e 


a , X 5 


e e P 


be e 


f 


a 


c 


e e e fica e 


S a 


P 


c 


SP, 


T R 


5 , 


e 












, 


X5 


a b e 


ac 


e 


fica 


e , 


b S 


X 






ee g. 














RS 


ab 


a 


e , 


e f 


he 8 


P 


S 




h , a a ab e f 



h : a c a ab c 



R S a a , XDR: e a Da a Re eea Sadad, TR 8 

g 5 

8Sa e, Sadad, eSa & eDee e, P 

ceed g f PS fe e ce, T a ada, a a ab e f 

h : 5 5 4 5 de h 



S 


6 a a , 




e 




f S ' 


T 


a dh de 




e fica 


e 


ha 


f 


ch ca 


d age, P 


ed S 


T 


ec fica 


, 8 














P, 


e e ca 


p 


c 




e e 


T a 


a 


e Sec 




P 


c 


S ec fica , e e 




ca 


P 


c 






8 










S 


5 4, f 


a 




ech 


g 




e e 




e c 




ec 




The 


D ec 


: de , 


e a 




a 


ga 


a 


f S a da d 


a 


? 








S 


5 4 8, f 


a 




ech 


g 




e e 




e c 




ec 




The 


D ec 


: he ca 




a 


e 




e 


a a ga 


a 




f 


S a 


da 


d a 




























S 


88 4 f 


a 




Tech 


g 


b ac 


s 


a 




a 




e 


S 


: S ec fica 


f ba 


c 


a 




e 


a a 


ga 


a 




f 


S a 


da 


d a 


, 5 


























S 


88 5 , f 


a 




ech 


g 


S 


e c d 


g 


e : 


s 


ec fica 


f 


a c 


cdgRe 


R 




a 


ca 


c d 


gR e 


R a 


dD 


g 


hed 


c d 


g R e DR 




e 


a 


a 


ga 


a f S 


a 


da d 


a 






5 


S 


88 5 , f 


a 




ech 


g 


S 


e c d 


g 


e : 


S 


ec fica 


f 



Pac ed cdgRe PR 
5 



ga a f S a da d a 



e a 




X5 



a b e S a f 



ac e fica e 



S X 5 , D g a e fica e f he a c a Se ce d : cc 

a ed Sec e Pa e b ec f he a c a Se ce d , d af d c 

e , e ca a a S a da d e, 

SX ,Pbce gah he acaSece d :he 

c eDgaSga e g h DS , e ca a a S a 

da d e, 

8 S X 8, D g a ce fica e f b e, cc a ed, ad gh T a ac 

e acaS e ,8hdafdc e, eca a aSadad 

e, e 

S X 8, D g a ce fica e f b e, cc a ed, ad gh T a ac 

e a c a S e Pa : e ea hX5 ,daf 

dee, eca a aSadad e, e 

mpl mp ct rt c t s 

is app di CO tai s t c rtificat s s d i t ampl s i ctio 4. 

c rtificat s ar pr s t d r i t al otatio d fi d i [23]. 

. mpl CompaetCertif icate 

exampleRSACert CompaetCertif icate ::= { 
toBeSigned { 

version v3, 

serialNumber 1234567890, 
signature { 

algorithm mdSWithRSAEncryption 

>, 

issuer { 

{ 

{ 

type compact-certs-at-compact Identifier 
value Compactidentif ier : 

’0123456789ABCDEF0123456789ABCDEF01234567>H 

} 

} 

>, 

validity { 

notBefore "990503104300Z" , 
notAfter "990510104300Z" 

>, 

subject { 

{ 

{ 

type compact-certs-at-compact Identifier, 
value Compactidentif ier : 

’ 1234554321123455432112345543211234554321 




a ad 



ad 

} 

} 

>, 

subjectPublicKeyInfo { 
algorithm { 

algorithm rsaEncryption, 

}, 

subjectPublicKey ’3048024100A0658F. . . 0203010001 

}, 

extensions { 

{ 

extnld compact-certs-ce-ansi-x9-68BasicExtension, 
extnValue ’AO’H 

} 

} 

>, 

algorithmldentif ier { 

algorithm mdSWithRSAEncryption 

>, 

encrypted ’ 0A0658FCBB9BF8C6A0F66D60B7A554E2 . . . 

— 1024 bit signature 

} 



.2 mpl CompactCertif icate 

exampleECCert CompactCertif icate ::= { 
toBeSigned { 

version v3, 

serialNumber 1234567890, 
signature { 

algorithm ecdsa-with-SHAl 

}, 

issuer { 

{ 

{ 

type compact-certs-at-compact Identifier, 
value Compactldentif ier : 

’0123456789ABCDEF0123456789ABCDEF01234567>H 

} 

} 

}, 

validity { 

notBefore "990503104300Z" , 
notAfter "990510104300Z" 

}, 

subject { 
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{ 

{ 

type compact-certs-at-compactidentif ier , 
value Compactidentif ier : 

’ 1234554321123455432112345543211234554321 

} 

} 

}, 

subjectPublicKeyInfo { 
algorithm { 

algorithm id-ecPublicKey 

— parameters namedCurve : c2pnbl63vl (X9.62) 

}, 

subjectPublicKey ’ 0307AF69989546 . . ,D74880F33BBE803CB’H 

}, 

extensions { 

{ 

extnld compact-certs-ce-ansi-x9-68BasicExtension, 
extnValue ’AO’H 

} 

} 

>, 

algorithmldentif ier { 

algorithm ecdsa-with-SHAl 

>, 

encrypted ’302E021507AF69989546103D79329FCC3D748. . . ’H 

} 

.3 mpl f CompactExtension 

is t sio is d fi d i [3]. 

exampleExtension ANSl-X9-68BasicExtension ::= { 
keyUsage {digitalSignature , dataEncipherment} 

} — PER encoded, this becomes ’OxaO’ 
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il ails incr asingl r plac pap r ound ail, t r is still a larg n c ssit 
for con ntional postal s r ic s and it can not p ct d, t at t 1 ctronic 
analogu ill sup rs d con ntional ail ntir 1 in t futur , cans ails 
o iousl lack so prop rti s of snail ail. r for it is n c ssar to int grat 

int rfac s to postal s r ic s into t isting offic co unication n iron nt. 

n s all CO pani s appl franking ac in s, ic ar issu d postal s r- 

ic pro id rs ( ) . urr ntl all sue franking ac in s ar p nsi sp cial 

purpos ac in s, r ost of t , or at 1 ast t s curit co pon nt, 
a to carri d to a post offic to load d aft r pr pa ing a c rtain a ount 

au gar ( d.): ’ 7 pp. - 

O pr g r- r ag r d rg 
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S a 

of sta ps. s curit of t is proc dur , i. . t at it is not possi 1 to forg 

sta ps, r sts in t s cr c of t int rfac s and tools. n or od rn fran- 
king ac in s it int grat d od s to p rfor t loading r ot 1 r quir 

a s cur dir ct conn ction to t and so sort of out of and pa nt for 

t oug t sta ps. 

It is cl ar t at it ould d sir a 1 to us isting offic co unication 

CO pon nts, lik ulti purpos print rs and s it conn ction to t int r- 

n t to r plac t p nsi sp cial purpos franking ac in s and a oid t 
anno ing trip to t post offic . ut p rfor ing t loading proc ss ia op n 

n t orks lik t int rn t and using standard p rip rals to produc and print 

sta ps id ntl ars so risks. H nc it is n c ssar to int grat s curit 
c anis s ic pr nt unaut ori d loading of t franking ac in and 

forging or cop ing of sta ps. 

r for t initiat d t infor ation as d indicia progra [ ]• In 

t is cone pt t ant nticit of sta ps is nsur d , or 

signatur s, ic ar cod d in a t o di nsional arcod and print d as part of 

t sta p on a 1 tt r for a pi . n a 1 tt r arri s at t t sta p 

is scann d and t signatur is c ck d aft r o taining t c rtificat fro a di- 

r ctor . cans on as to conn ct to a possi 1 r ot dir ctor s r r to look 

up t c rtificat to rif t signatur t is st p is c rtainl t ottl n ck in 

t rification proc dur . it curr nt t c nolog it s si possi 1 to c ck 

a non-n gligi 1 fraction of t ug a ount of 1 tt rs. naut ori d sta ping 

is pr nt d using sp cial purpos ard ar at t cli nt s st . cans 

cop ing aut ntic sta ps can not pr nt d it is n c ssar to int grat data 

c ararct ristic for t 1 tt r lik t ip-cod , t adr ss of t r c ipi nt and t 
dat into t sta p. us, cop ing sta ps onl ak s s ns in circu stanc s 
r on n ds to s nd an 1 tt rs it id ntical c aract ristics. possi i- 
lit of cop ing sta ps can furt r r strict d li iting t ti of alidit . 

Ho r, on can still i agin situations r ill gal duplication of sta ps a 
a cone rn. r for it ill n cc sar to log t rifi d and un pir d 
sta ps. 

s not d a o t application of digital signatur s and acco pani d pu lie 
k infrastructur s introduc s an unr asona 1 o r ad in t rification st p. 
cans t signatur s ar clusi 1 c ck d t it is cl ar t at on 

a as 11 us s trie algorit s it d ri d k s to o tain t sa 
s curit f atur s. is alt rnati approac , ic is discuss d in t is ork, ill 
alio to c ck all arri d 1 tt rs during t sorting proc ss. urt r or ill 

s t at t sp cial purpos ard ar d ic it r alti clock is not n c ssar . 
H nc it ill uc c ap r to i pi nt our cone pt co par d to [ ]. 

is pap r is organi d as folio s: In ction 2 ill ri fl plain t 

c ntral f atur s of ’s infor ation as d indicia progra [ ] and point out 
t d fici nci s for road application. In ction 3 ill introduc our approac 
using s trie algorit s and g n ral purpos s art cards. 
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r a ns ral pu lications tr ating t r ali ation of s cur 1 ctronic 
sta ps. In [2] astor outlin s o sue a s st ig t ork. In [3] gar and 
Y gi ad tail d discussion of t r quir nts and possi 1 solutions, ut 

in contrast to our cone pt t onl consid r prot ction digital signatur s. 

urt r or t r is a pat nt application on cr ptograp icall s cur d 1 ctronic 
franking s st s [4]. 

2 ’s r a as c a r ra ( ) 

In ord r to facilitat 1 ctronic franking and pr nt fraud t initiat d 

II [ ] . In t is progra t ant nticit of an infor ation as d indicia ( 1 c- 
tronic sta p) is nsur d appl ing cr ptograp ic c anis s to data ic 
ar r lat d to t pi c of ail und r consid ration. In t folio ing ill 
ri fl ig lig t t ain issu s of I I and point out t pro 1 s for larg 
seal application. 

2. ri r i II 

r custo r o is illing to us 1 ctronic sta ps u s a s a i 

i ( as sp cifi d in [ , art ]. is d ic is a sp cial pi c of cr p- 
tograp ic ard ar it r al ti clock, ic can conn ct d to t parall 1 

port for a pi . ” or s curit r asons, t ill not a g n rail d digi- 
tal signatur d ic .” [ , pag -4]. or t pri at k in t t 

cr at s a c rtificat containing t corr sponding pu lie k , ic is stor d in 
a c rtificat dir ctor . can load d it a c rtain a ount of sta ps, 

conn cting to t and trigg ring so sort of pa nt c anis for 

t sta ps. load d is t n us d to issu 1 ctronic sta ps ic ar 

cod d in a t o di nsional ar cod and print d on t 1 tt r. sta p as 
sp cifi d in [ , art ] consists of 49 t s 1 tt r sp cific data ( .g. custo r I , 
dat of ailing, d stination, postag , s rial nu rs, ... ) and a digital signatur 
of t s data ic is g n rat d t using its pri at k . alio d 

signatur c anis s and k si s ar 24 it , 24 it or 6 it 

us t si of t ac in r ada 1 sta p is 77 t s for or 

9 t s n using -t p signatur s. H nc on as t c oic t n 
a arcod d sta p of r asona 1 si ( ) or ffici nt rification ( ). 

part of t progra ic is not t sp cifi d in [ ] is t rification proc - 
dur at . is rification st p ill n d to consist of r ading t arcod d 

sta p, conn cting to t dir ctor and rif ing t signatur . It is cl ar t at 
t r ill illions of 1 tt rs ic a to andl d t r da . 

us it is cl ar t at for p rfor anc r asons it ill not possi 1 to rif 

r sta p. is a 1 ad to ’’calculat d” fraud. 
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2.2 u rii Il’srl sr r cl pplic ti 

In t is s ction ill ri fl su ari t ajor pro 1 s of I I for larg 
seal application: 

— I I r quir s sp cial purpos ard ar ic 1 ads to ig r initial costs 
and nc a d t r pot ntial custo rs. 

— arcod ic carri s t sta p is r lati 1 ig ic 1 ads to pro 1 s 

n sta ping r gular 1 tt rs or postcards. 

— n using -t p signatur s on o tains s all r signatur s and arco- 
d s ut as to p rfor a 1 ss ffici nt rification proc dur . 

— In ot cas s ( , -t p ) on n ds to look up t c rtificat in a 

dir ctor , ic ak s t rification proc dur in ffici nt and ak s t 

rification of all sta ps i possi 1 . 

r as a c p a rac ca a 

c r c r c a ps 

In t is s ction ill introduc a a to r ali 1 ctronic sta ps ic sol s 

t a o pro 1 s it out r ducing s curit . In contrar our approac alio s 

uc or ffici nt rification and nc ak s t rification of all sta ps 

possi 1 ic s ould 1 ad to n 1 ss fraud. In our cone pt assu t at 
r custo r as acc ss to a quip d it a print r, a s art card r a- 
d r and an int rn t conn ction. It is id 1 li d t at it in a f ars 

s art card r ad rs ill co standard for s. urt r, t issu s to all 

custo rs, o ant to us 1 ctronic sta ps a d dicat d soft ar , call d t 

sta p progra , and a s art card, ac s art card as i pi nt d a s 
trie ncr ption function F and as s cur 1 stor d a distinguis d s cr t 
k . is s cr t k is d ri d fro a ast r k of a local offic ( .g. for 

r ZI -cod ) and t custo rs I using an ar itrar s cur as function 

h or alt rnati 1 as trie cip r in as - od . urt r, ac s art card 
as 2 int rnal count rs 2 : and z , ic cannot acc ss d fro t outsid . 

ik in t approac of our s st consist of 3 stag s: arging t s art 

card, n rating sta ps, rification of t ut nticit of t sta p t 



r i t rt r 

for a custo r can cr at 1 ctronic sta ps, as to c arg is s art card, 
is is initiat d s nding t co and _ tog t r it t 

a ount X to t s artcard. s art card incr nts t int rnal count r z 
and using its s cr t k to co put t ncr pt d c arg r qu st. is r qu st 
contains t count r z , t a ount x, t custo rs I and t k ord 

n t sta p progra s nds t is r qu st to t local ofRc 
( .g. ia ail, ttp, tcp). 
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ft r r c i ing t is r qu st, t d ri at s t custo rs s cr t k fro 

its local offic k ( ic its If a d ri d fro a glo al ast r k ) and 

d cr pts t r qu st, t r rif ing its ant ntic . If positi , t us s 

t custo rs s cr t k to g n rat an ncr pt d c arg co and containing 
t count T z , t a ount x and t k ord and s nds it to t 

custo r. 

inall t custo r for ards t r c i d ssag to t card, ic d - 

cr pts t c arg co and. If t c arg co and is rifi d t card incr - 

nts its count r z x. 





custo 


r s nds ( 


, x) to t card. 


2. 


card s 
custo r. 


ts z = z + and s nds Y := F ( , z , a;) to t 


3. 


custo 


r s nds {Y, ID ) to t 




4. 


F- (Y). 


CO put s SK = h{SK 


,ID ) and ( ,z ,a;) = 




s 


nds Z := F { 


z , cr) to t custo r. 


6. 


card 

Z + X. 


rifi s F~ (Z) = ( 


, z , x). If t is is ok it s ts z = 



.2 r ti t ps 

n a custo r ants to sta p a 1 tt r, us s is sta p progra to s nd a 

sta p r qu st containing t postag a ount y ( ic can d t r in d t 

sta p progra ), a as alu w of t sp cific para t rs of t 1 tt r and t 
k ord to t s art card. sp cific para t rs of t 1 tt r contain 

t addr ss of t r c ipi nt, t custo rs I , t dat and a contain ot r 

data as 11 aking t sp cific para t rs uniqu . ot t at t custo r is 

r sponsi 1 to us t corr ct dat . If t dat is not it in a sp cific ti fra 
n c ck d at t t 1 tt r is consid r d or clos 1 , as it ig t a 

a fraudul nt sta p. us if t dat is not corr ct t 1 tt r ill tak long r 
ti to d li r d. card c cks z y and, if positi , d cr nts z 
y and g n rat s t sta p for t 1 tt r, ncr pting v concat nat d it y. 
If z < y t card r turns 

inall t sta p and t sp cific para t rs of t 1 tt r ar print d onto 

t 1 tt r using an ar itrar ac in r ada 1 ncoding. 



custo r d t r in s t postag a ount y and t sp cific para 
t rs of t 1 tt r D, calculat s v := h{D) and s nds ( , v, y) to t 

card. 

2. card c cks y z . If positi , it s ts z = z — y and s nds X := 
F (v,y) to t custo r. If n gati , it s nds 

3. custo r prints (D,X) onto t 1 tt r. 
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. ri c ti t li it t ps t 

can rif t alidit of sta ps it out conn cting to a data as for 
r sta p. irst it c cks t at t sp cific para t rs ar consist nt it t 

1 tt r ( .g. t at t addr ss and t dat is corr ct). If t dat is not it in a 

c rtain ti fra (i. . dat d in t futur or old r t an (sa ) t r da s) t 

r dir cts t 1 tt r to a plac r sta ps ic ig t a n forg d 

ar consid r d or clos 1 . nl in t is cas t stor s t suspicious 

sta ps in a data as to r cogni copi d sta ps. ot t at t custo r its If 
is r sponsi 1 for t dat in t sta p to alio ti 1 proc ssing it out s cond 

1 1 c eking. is strat g ak s t pr s nc of a s cur r al-ti clock at 

t cli nt s st o sol t . ft r t is c eking t co put s t custo rs 

s cr t k using t s cr t k of t local offic and t custo rs I contain d 

in t sp cific para t rs of t 1 tt r. sing t custo rs s cr t k t 

d cr pts t sta p i Iding a pair (v,y). inall , it c cks, t at a ount y is 

suffici nt as postag for t is 1 tt r and t at u is t as alu of t sp cific 
para t rs of t 1 tt r. 

r ads (D,X) and c cks t consist nc of D { .g. consist nc 
of addr ss, piration of alidit ). 

2. tracts /£) fro Z? and co put s SK = h{SK ,ID ). 

3. CO put s (v,y) = F~ (X). 

4. rifi s V = h{D) and c cks t at a ount y is suffici nt as 

postag . 



. pi t cti 

It oug a sta p is tig t to a fi d s t of c aract ristics of t 1 tt r, on 
still as to consid r r pla attacks. It is not unlik 1 t at a co pan n ds to 

s nd an 1 tt rs it t sa c aract ristics it in a s ort ti ( .g. t 

corr spond c it on of its d p nd nci s). In t is cas t co pan could 

sa a lot of on ill gall cop ing and r using sta ps. 

onl a to d t ct ill gal cop ing is to log all rifi d sta ps in data- 

as s. inc ail is usuall rifi d at a post offic locat d in t sa r gion 

as t costu r, t is can don in a d c ntrali d a , i. . t sta ps of a 

c rtain costu r ar logg d at t r gional post offic . data of ail ic 
is rifi d diff r nt post offic s can c ang d n t ork conn ctions. 

urt r or , sine sta ps ar lik 1 to rifi d in ss ntiall t sa 
ord r as t a n g n rat d, t logging can don r spac ffici nt: 
or ac costu r C 1 t z t gr at st nu r z for t at all sta ps of 
costu T C a ing s rial nu r s all r t an z ar it r pir d or a n 
air ad rifi d. n for ac costu r C it is suffici nt onl to stor z and 
t (co pr ss d) list of t s rial nu rs gr at r t an z of t rifi d sta ps 
fro costu r C. 

or concr t sti at s for t p ct d si of t data as s r f r to [3] . 
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ill conclud t is ork ri fl co paring our approac to I I : 

t s I I 

— If a s cr t k SK of a local post offic is co pro is d in our approac 

t as to r plac a s t of s art cards - all s artcards os k 

is d ri d fro SK . In I I , if a s cr t -k as co pro is d, on 

ould onl n d to r plac t c rtificat s sign d t is k . is is no r al 

t r at as S' it" and t s cr t -k ar additional! s cur d strict 
organi ational ans. 

— using t sp cial purpos ard ar it r al-ti clock it ould 

ard r for an attack r to c ang t ti to produc forg d sta ps. 

t s ur ppr c 

— ur approac do s not r quir sp cial purpos ard ar ut si pi s art 

cards at t cli nt ic is uc or cost ffici nt. 

— ’’signatur ” in t sta p in our cone pt is at ost 6 t ic is 1 ss 

t an alf as ig as in I I using -t p signatur s, not to talk a out 

us our sta ps ar no pro Is n if print d to postcards or s all 
1 tt rs. us our sta ps do not cans pro 1 s, n if t ar us d for 
postcards or s all 1 tt rs. 

— rification of sta ps in our approac is uc or ffici nt t an in 
I I , cans on do s not n d to conn ct to a dir ctor to o tain c rti- 
ficat s, ut d ri s t corr spending s trie k si pi op rations. 

us it ill f asi 1 to rif all sta ps, r cogni forg d sta ps and 
nc pr nt fraud. 

o paring t argu nts for I I and our approac t ink t at our 

approac is uc or suita 1 to i pi nt a larg seal s st for 1 ctronic 

franking. 
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id spr ad s of digital t or s as cr at d a i d of c b r-soci t os 

citi s ar i cr asi gl abl to participat it f 11 ra g of acti iti s asso- 

ciat d it a r al CO it . co i c ic t still app ar to lac , 
o r, is a a d s st for dra i g lots. I a r al co it , a gro p of 
p opl ca gat r i o plac to dra lots b t s 1 s or to obs r t at a 
r pr s tati i d d dr i a fair a r. i g p sicall pr s t is ss tial 

to b ass r d of fair ss, i. ., t at t r as o c ati g i t proc ss, b 1 1 is 

is ss tiall i possibl i a c b r-soci t . 

r ptograp ic protocols pro id a t or tical basis for ac i i g ass r d fai- 
r ss, a d st di s o s c r Iti-part co p tatio d o strat t possibilit 
of d t r i i g a i r ra do 1 [ ,2]. oldsc lag a d t bbl bi pr s t a 

si pi lott r sc bas do a d la i g f ctio [3]. s sc s ca b 

s d i pri dpi to b ild a lott r s st , gi t ir sp ci catio s. Ho r, 
a act al tool to s pport a fl ibl , i rs I lott r , os d sig a d p rpos s 

ig t b odi d, as, to t at or’s b st o 1 dg , t to b r port d. 

is pap r pr s ts t i pi tatio of a co it digital lott r s r r 

to b s d o t . It off rs a o tco t at a gro p of s rs ca agr to 

a b dtridradol. srr ab sd for s 1 cti g at ra do 
a si gl i i g participa t or Itipl i rs at ario si Is of i i g, ( .g. 
a si gl st pri i rad 2d pri i rs, tc.) It ca also b s d 
for t ra do ord ri g of participa ts ( .g. to d t r i a dra for a at 1 tic 

au gar ( d.): ’ , 7 , pp. - , 

(c) pr g r- r ag r d rg 




Sa 



CO p titio .) s r r alio s a i itiator of a lott r s ssio to d t r i its 

p rpos a d d sig its r 1 s. 

I d sig i g s c a lott r s r r, s c rit r q ir ts a d applicabilit 
f at r s oft CO i co flict it ac ot r. a car f 11 d sig d t 
lott r sc t at t s r r adopts to t t folio i g r q ir ts fro 
t asp ct of bot s c rit ad applicabilit . 

ir ss s rs ca b ass r d t at o tco s ar g rat d i a fair a r, 

d r r aso abl ass ptio . 

ri Hit s r r pro id s s rs it ri catio a s to d t ct a 

i CO sist ci s ad d ri g t s ssio . 

i li it r r s ro d co pi it of t sc is pt as lo as 

possibl . 

st ss s r r do s ot fail to co d ct a o tco , i t pr s c 

of la pla rs, i. . t os o for so r aso fail to participat as t 

s o Id. 

I i Hit s r r ca a dl a t p s of lott ri s t at o Id b carri d 

0 t i g ral. 

s ri ti s r r pro id s a si pi t plat b ic t 

1 itiator ca d scrib i d tail t c aract ristic of t lott r d sir d. 

li g r lit co sid ratio st b ta i d sig i g appropriat 
a -i t rfac to i cr t a s s of r alit ” to t act of participa- 

tio . 

b li t s CO str ct d lott rsrrsillb sflot Itrti 

a b r of a s: a i di id al ig t s o , for a pi , to c oos fro 

fri ds distrib t d o r t t p rso s to o to gi spar o i tic ts; 

a ag rs of p blic faciliti s ig t s o to c oos a o g applica ts for s of 
t os faciliti s; 1 d lop d 1 ctro ic a ctio s st s or 1 ctro ic oti g 

s st s ig t s o to old a lott r i cas of a ti ; tc. 

r st of t pap r is orga i d as folio s: i ctio 2, d scrib t 
basic proc ss i ol d i a lott r s ssio , a d i ctio 3, pr s t t 
i pi tatio or sp ci call . 



r c 

lott r sc t at a plo d i ol s t o i ds of s rs: a I r, 
o i itiat s a lott r s ssio o t lott r s r r, a d Z rs, o acc ss t 

s r rad participat i t lott r s ssio . 

t ot r a d, t lott rsr r aagsad carri sot Itipl lott r 

s ssio s i itiat d b t s rs. or sp ci call , t tr st ort s r r: 

pro id s s rs a a s to start lott r s ssio s a d b co d al rs, 

ai tai s t s cr c of i itial al s of ac s ssio til its clos r , 

pro id s s rs a a s to participat i s ssio s t is to particpat i , 
o ad dat , c t s a lott r a d co p t s its o tco , a d 
displa s t o tco of ac c t d lott r s ssio i a ri abl a r. 
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o tli of o a s ssio proc ds is as folio s: 

d al r i itiat s a lott r s ssio o t lott r s r r. H d scrib s its 
d sig a d p rpos si g a t plat , t d t r i s a i itial al a; a d 

s b it it. 

2. s r r, o acc pti g t r q st, d t r i s a s r r’s i itial al y for 

t s ssio si g a ra do b r g rator. s r r assig s a iq 

s ssio I sid. 

3. s r r adds to a s ssio list t d scriptio of t s ssio , ic is 

p blis dot b, tog t r it CO it ts of t d al r’s i itial al 

a; a d t s r r’s i itial al j/. H r , t co it ts ar co p t d as 

H{sidox) a dH(sidoy) si g a cr ptograp icall s c r as f ctio [4], 

H. 

4. ac pla vie oos s t s ssio is to participat i , a d rolls is a 

tog t r it a stri g r fr 1 cr at d b i s If. 

5. t dat of c tio , t s r r co p t s t o tco fro t o i itial 

al sad stri gs cr at d b ac pla r. r s It of t s ssio is app d 

fro a as d al H{xoyor o---or oDESCosid), r DESC d ot s 

a stri g iq 1 CO rt d fro t d scriptio of t s ssio 

6. o tco is p blis dot b, tog t r it d cr pt d i itial al s 

x,y a, d stri gs r cr at d b ac pla rs. 

7. ac pla rs a rif t folio i g: t stri g as cr at d is i d d 

i cl d d, t o tco as b corr ctl co p t d, a d t i itial al s 

adb corr ctl co itt d, b co p ti gH{xoyor o- ■ -or oDESCosid), 

H {sid o x) a d El {sid o y) . 



. tur s 

ass t at a cr ptograp icall scr adidal as f ctio ac i s t 
folio i g prop rti s: 

ss. i H{x), it is ard to co p t cr. or o r gi H{x) 
a d a partial stri g co stit ti g x, it is ard to r co r x tir 1 . 

llisi - r . It is ard to d x a d x t at i Ids i7(x) = i7(x ). 

r I 1. istrib tio of H{x) ca b r gard d as ra do . 

as d o t prop rti s of t as f ctio , t lott r sc d scrib d 
abo pro id s t folio i g f at r s: 

tri gs c os b t pla rs q ll co trib t to co p ti g t o tco 
o tp t of a id al as f ctio is d p d t o ac bit of t i p t. 

o trolli g a part of t i p t ca ot co trol t o tp t. 

he eea eaeheaefheeaeaaea a eg a 

be f each a c a he he ha h f c 
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la rs ar ot alio d to gai a fair ad a tag . I ord r for a pla r 
to s 1 ct a stri g ad a tag o s to i s If, o 1 dg of all t ot r pla - 
rs’stri gs a d i itial al s a; a d y ar r q ir d. Ho r, p blic i for a- 
tio r gardi gxa d y is H(sidox) a dH(sidoy), ic las oi for atio 
oxadyd tot o-a ssoft asf ctio . if a pla r col- 
1 d s it t d al r, t al of y is r 1 a d b o d t tr st ort 
s r r. 

it r d al rs or t s r r ca alt r t i itial al s itotbigd- 
t ct d. I ord r to alt r t i itial al xh x , or y b y , H{x) = H{x) 

or H{y) = H{y ) st old if ot d t ct d. s collisio s ar ard to d 



d to t 


collisio -fr 


prop rt 


of t as f ctio 




cur t 


c 


t 


Its st 




possibl CO c r i t 


propos 


d s st is t c 


trail d po r at t 


r, i. ., it os all t 


i itial al 


s of t s ssio s. 


a to d c trail 


po r is to 


p so 


of t s 


al s fro t s r 


rad distrib t t 



a o g a d al r a d/or so of t participa ts at ac s ssio .or a pi , a 

d al r a ot s b it its i itial al x i plai t t i itiati gas ssio , 

b t i st ad s b it H{sidox) fro t b gi i g. s t s r r is pr t d 
fro o i g cc. t participa ts, so or all of t , ca ol taril act 
i s tti g i itial al s. at is, t ca s d t as d al of a stri g of 
t ir c oic , ic ill b p blis d, b for t s ssio b gi s. ill r al 

t stri g o 1 aft r t closi g of t s ssio .1 t is cas , ac participa t ca 

b CO pi t 1 ass r d of fair ss, b ca s o c ati g is possibl as lo g as 

ps t stri g to i s If. 

bigg st dra bac to t is approac is t at bot d al r a d ol t r 

participa ts st b a ailabl co p ti g t o tco . is aff cts t 

sc ’s rob st ss, t at t s ssio atriat itotao tco 

f 1 t at a or s itabl approac is to i trod c Itipl i d p d t 

titi s it i a s r r, o is al a s ass d to b pr s t i c ti g a lot- 

t r . i itiati gas ssio , ac tit g rat s a i itial al ad broadcasts 
its as d al to ot r titi s. s t of all as d al s ca b co sid r d 

as t s r r’s as d al s, or or co i tl , t as d al of all as- 

d al s fro t titi s ca b s d. is i pro t do s ot ca s a 

c a g i s r proc dr. t r co tio al t c iq s o t r s old sc s 
ca also b plo d. 

1 r r r 

a CO str ct d a lott r s r r o ic to i pi 1 1 propos d 

sc 

or t i pi tatio , a sp ci call d sig d: 

a t plat ic alio sad al r to d scrib t d sig a d t p rpos 

of is lott r , a d 

a lott r gi ic sp ci s t i p t to t 
of a as d al to t o tco of t lott r . 



as f ctio a d appi g 
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t rt s ss 

d al r, t p rso o op s a lott r s ssio , sp ci s t folio i g 
si g t t plat : 

t titl of t s ssio 

t ai of t s ssio 

participa ts’ q ali catio s 

ssio s a b it r op all or li it d to b rs. I t latt r cas , a 
list of b rs st b gi 

s 1 ctio Id 

1 ctio s ca b ad fro a Id co prisi g participa ts, li it d 
b rs, or ot rs. 

It t ird cas , a list of it sit si ctio Id st b gi , for 
a pi , spad s, arts, cl bs, or dia o ds for a card ga , or -6 for a 
die ga 

s CO d cas appli s o ds to s 1 ct a o g t b rs it 

q al probabilit , d spit possibl laziness of ac b r. at is, if 

a b r fails to participat , still as a c a c of i i g (or, si ilarl , 
losi g) i t lott r . 

o tco to b d t r i d: its it d scriptio ad b r. 

It s ca b pi ral, .g. o st pri i rad 2d pri i rs. 
op i g a d closi g dat s 
dat to c t lott r 

a i itial al x 

It o g t is t plat do s ot s r to r pr s t all t p s of possibl 

lott ri s, b li it co pactl d scrib s ost of t d sig s a d p rpos s of 
lott ri s. 
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a r q st for a lott r s ssio it its d scriptio is s b itt d, 
t sr rasst dalrtoc oos a i itial al x. s r r t g rat s 
a ra do stri g j/ to b t s r r’s i itial al for t at s ssio , a d assig s a 
s ssio b r (s ssio I , sid). d scriptio of s ssio it al s of 
H{sid o x) a d H{sid o j/) is p blis d o 



rt c p t s ss 

ac participa t sp cif a s ssio b r, it r o obtai d fro a list of 
p blic s ssio s, or o pro id d b t d al r or a ot r participa t. s r r 
displa s t ai add scriptio of t s ssio , tog t r it as d al s 
H{sidox)& dH(sidoy). t pi g i is a a d a fr 1 c os stri g, 

CO pi t s t participatio proc d r . 
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acc pti g is tr , t s r r displa s is r gistratio b r it t 
stri g as s b itt d. 

su t f s ss 



ft r t closi g dat , t lott rsrrcoptst o tco a d p blis s 
t r s It. s r r pro id s a ri catio tool so t at all participa ts ca 
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folio i g ar i p ts to t lott r gi 



d al r’s a 

d al r’s i itial al ad its p blis d as d al 

s r r’s i itial al ad its p blis d as d al 

ac participa t’s a , is r gistratio b r, a d is stri g i t ord r 
of participatio 

a list of it sit si ctio Id i a sp ci d ord r 
a list of o tco d scriptio sadtir brit aocd ord r 
s ssio I 

gi CO cat at s t abo i p t i t sp ci d ord r a d co p t s its 
as d al . as d al is t app d to a b r i a list of s 1 ctio 
Id it s si g od lar co p tatio . Itipl it s ar to b s 1 ct d, 

t as d al s ar s q tiall as d to obtai c ssar disti ct i i g 
it s. 

Ip t t t s 

a i pi t d a d o stratio s st ic or s o i do s 95 

ad i do s s r r/ or statio it ti H . s st 

r q ir s a bs r r s c as rso al bs r r or I t r 1 1 for atio r r, 
a d a tscap a igator. progra is ritt i a d as 6 li s, 1 ss 
t a at t of ic is d ot d to d scrib t lott r gi . or act al s , 

ar also d lopi g a s st t at s s racl databas for t s ssio 
a ag t, it - ail s r ic s for s rs to otif t stat s of o ’s lott r 
s ssio . 

cl r s 

I t is pap r, a pr s t d t d sig a d i pi tatio of a lott r 
s r r o . is is a act al tool to s pport a fl ibl , i rs I lott r , 

The ce eae efiea gheebhee-a 

a e eg e e fica e f g a g a e ech e 

a a e 
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rasrcad ad start a lott r s ssio of is p rpos . s r r 
pro id s s rs a ri catio a s, ic Ips t to b ass r d of fair ss. 
ro g t s of a tr st ort s r r t at ai tai s s cr ts, t sc do s 
ot CO plicat act al op ratio s or ad rs 1 ff ct t as of act al s . 
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I r c 

r is id agr m tot imm s pot tialofi t r t, sp ciall for cit- 
i g applicatio s lik 1 ctro ic comm rc , go r m t-citi r latio s ips 
a d digital distributio , but a sig ifica t part of t us rs ar still r lucta t to 
us t t ork for fi a ciall or 1 gall s siti data du to t lack of s cu- 
rit . gro t a d p rforma c of I t r t ar ad rs 1 aff ct d b s curit 

issu s a d b t op d sig of t t ork its If. us, d spit its ormous 

possibiliti s, t I t r t as ot t b com a commo id for t os appli- 
catio s b caus it is still too as to i t rc pt, mo itor a d forg m ssag s, a d 

imp rso at us rs [ ]. 

ral s st ms, sue as rb r s [2,3] a b propos dtoprot ct commu- 
icatio so r public t orks usi g s mm tric-k cr ptograp . os s st ms 

ar ot asil scalabl for larg groups of us rs b lo gi g to diff r t orga i ati- 
o s. Ho r, som fforts a b accomplis d to sol t is probl m [4,5,6]. 

t ot r a d, public-k cr ptograp [7] s ms to b 11 suit d to 

satisf t r quir m ts of t I t r t, a d is fast b comi g t fou datio 

for t os applicatio s t at r quir co fid tialit a d aut ticatio i a op 

t ork. 

id spr ad us of a global public-k cr ptos st m is compl m t d b 
a bli - Infr s r r { KI), a ffici tad trust ort m a to ma ag 

au gar ( d.): ’ , 7 , pp. - , 

O pr g r- r ag r d rg 




e , a a, a ega 

public-k alu s. KI is a ital 1 m t b caus it abl s t applicatio of 
t cr ptos st m to t c a g of s siti i formatio b t parti s t at 
do ot a a fac to fac i t ractio . 

is pap r i troduc s rt’ , a k ma ag m t a d c rtificatio s - 
st m bas dot 1 ctro ic mail s r ic structur , a d it is orga i d as folio s: 
s ctio 2 pr s ts t s st m structur a d op ratio ; s ctio 3 summari s ad- 
ditio al f atur s t at impro t ffici c oft s st m; s ctio 4 d scrib s t 

protocol us d to acc ss t k s r rs a d, fi all , s ctio 5 pr s ts co cludi g 

r marks. 

scr p f s 

fu dam tal pri cipl s of rt’ ca b summari d i t folio i g d - 
sig goals: 

• to us a s arc it ctur t at satisf t ds of ar-c rtificatio so t 
trust ca b bas do at r crit ria is us d i r al lif ; 

• to limi at probl ms associat d it t r ocatio proc dur sad simplif 
t alidatio of c rtificat s; 

• to a oid arc it ctur s t at i Id scalabilit probl ms; 

• to a oid t s c ro i atio probl ms associat d to sc m s t at k p mul- 

tipl copi soft k sadc rtificat s; a d 

• to mi imi t t ork traffic, sp ciall t at g rat d b ma ag m t 
op ratio s. 

. r c r 

mai 1 m t i t i rare is t s r i m (K ), ic i t - 

grat s bot k c rtificatio a d c rtificat ma ag m t fu ctio s. rt’ us s 
a sc m it arious K s op rati go r disjoi t groups of us rs, co formi g 

a pr d fi d i rare . 

igur s o s t s st m structur . K i rare d fi d b rt’ 
is parall 1 to t i rare of I t r t domai s. r 1 a t f atur is t at K s 
ar associat d to t corr spo di g -mail offic s. 

s s o i figur 2, r K is ma ag d b a r ifi in h ri 
( ). dditio all , it co tai s a b s to stor t c rtifi d k s of its us rs; 

ac us r public-k c rtificat is stor d clusi 1 i t databas of is/ r 
K . t ird compo tit K ist k s r r, icrcisr- 
qu sts a d d li rs t c rtificat s to t r qu st rs. k s r r also ma ag s 

a c rtificat cac t at k ps som of t t r al c rtificat s r c tl r c i d. 
c rtificat cac , car full d sig d, a c s t ffici c of t s st m 

it out i troduci g a s curit risk, urt rmor , a ca d fi its o 

cac polic accordi g to its us rs ds. 

ac ca s t r strictio s to limit t us rs or K s alio d to acc ss t 

s r r. is f atur pro id s t it a us ful tool to a oid abus a d to 

bala c t orkload b t diff r t s r rs. 
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c rtifi d k s ar ma ag d sol 1 b t corr spo di g ; t r for , 
k updati g a d r ocatio ar local op ratio s it out i flu c i t r st 

of t s st m. 

must u d rli t at o r ifi i n is { ) is us d i t 

d sig . alidatio of a c rtiflcat is ac i d usi g t Hi n 

( ) , a tim stamp stat m t sig d b t att sti g t at t c rtiflcat as 

ot b r ok d at t tim of issua c of t . c rtiflcat is co sid r d 
ir if t alidit p riod as fl is d. If a c rtiflcat as ot pir d call 

it a i c rtiflcat . acti c rtiflcat is li if it as ot b r ok d; 
t r for i ord r to alidat acti c rtiflcat s t simpl issu s a 
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. s p r i 

rt’ d fi s a sp cial us r, @ in , i r K i ord r to d ot 

t corr spo d t . c rtificat of a is stor d clusi 1 i t 

databas of its par t K . c ptio all , t k of a locat d at a top- 
1 1 domai is stor d i t databas of its o K , c rtifi d b t domai 

r gist ri g aut orit ( -g- / ). K s distribut d b a K ar al a s 

c rtifi d b t corr spo di g ; t us, i t subs qu t discussio , ill 

us t t rms ’k ’ a d ’c rtificat ’ qui al tl . 

logical structur of t data tra smitt d b a K i r spo s to a 

c rtificat r qu st is importa t i ord r to clarif t k distributio proc dur . 

c rtificatio r spo s co sists of t o compo ts: 

• a .5 9 3 c rtificat [ ] co tai i g, amo g ot r i formatio , a s rial um- 
b r a d t p ct d lif of t c rtificat (t alidit i formatio ); 

• t sig d b t , CO tai i g t c rtificat s rial umb r a d t 

tim of issua c . 

t r s st ms, lik 1/ / [9, ], propos a similar m c a ism call d 

n - i r li i n { ). ut for our purpos s t is solutio is ot co 

i t b caus it do s ot pro id tools to limit t us of t at “pr - alidat d” 

c rtificat i t futur . 

r for , i our sc m , t c rtificat do s ot d to b issu d o -li ; 

o r, it still pro id s a good d gr of s curit agai st attacks t at tr to 

us r ok d c rtificat s. 

d scrib o t s qu c of actio s t at ar carri d out a us r 

(r qu st r) a ts to g 1 1 public k of a ot r us r (addr ss ). is proc ss 
starts t -mail addr ss of t last o is pro id d b t r qu st r to 

is/ r K , a d t is o , i tur , co ducts t r qu st to t addr ss K , 
os databas co tai s t k . uc op ratio is asil do b caus t 

s st m ca d t rmi t K to b co tact d from t mail addr ss pro id d. 

r ious actio s ar s o d i figur 3 (1 ft). I t is cas , t figur d picts 

t i formatio flo produc d us r h {h b@r.s. ) r qu sts t k of us r 

li { li @ s s o , & r qu sts lie ’s k from is o K ad 

t is o dir cts t r qu st to t K locat d at t . . od . r spo s 

from lie ’s K is t for ard d to b. 

b must r qu st t k from is K du to t acc ss r strictio s t at 

ot r K s s t, a d also to tak ad a tag of t c rtificat cac of is K 

If CO sid r d, & ca also r qu st t c rtificat of @ . from t K 

locat d at . , obtai i g a c rtificat t at pro s t aut ticit of t 
first o . is is d pict d i figur 3 (rig t). asc di g alidatio proc ss 

ca CO ti u u til a top-1 1 od is r ac d. If o K is pr s t at . (i. . t 

domai do s ot support rt’ s st m), t k of @ . . is automatical! 

r qu st d from t par t od , t at is, . is alio s rt’ to b us d 

i cas of i compl t structur s. 

om similariti s ca b fou dbt rt’ adt r- pro- 
posal [ , 2]. ot us t I t r t domai am i rare to fi d t locatio 
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r a particular k is stor d, but cur - us s t am r r til s il 
rt’ us s t -mail offic s. ur c oic is bas do t folio i g r aso s: 

• pposit to -mail offic s, it is usual t at s ral domai s s ar t sam 

; t r for , it is fr qu t t at s ot clos 1 r lat d to us rs, a d 

t ir s ma ot a dir ct k o 1 dg of t us rs id titi s, b i g mor 

ul rabl to imp rso atio . 

• s ar i t d d to stor i formatio about domai s, ot about us rs. s 

a CO s qu c , t r is a r gistratio proc dur for a domai but ot 
for a us r of o of t r gist r d domai s. I fact, t r is o d t at 
a fi al us r r i t racts it t to g t acc ss to I t r t, but us rs 

ar fore d to i t ract it -mail offic s to s t up a -mail accou t. 

• s us cac i g a d lif tim m c a isms t at could i Id i accurat or 

fals i formatio i som situatio s. is f atur ca b us d to attack t 

s st m. 

or t s r aso s t cur - sc m ca ot guara t t li k b t 

r al- orld us rs a d k s ( ot co formi g it articl .2 i [3]). 



1 r s 

of t ad a tag s of rt’ is t at, i cas t pri at k of a us r 
is compromis d or lost, t associat d public k ca b r ok d or r plac d 
it out poss ssi g t pri at o . is is possibl b caus t r is a tit 

(t ), r spo sibl for t mai t a c of t databas of c rtificat s, ic 

ca p rform a r al- orld us r id tificatio . ppos d to ot r s st ms t at 
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r quir t at t us r g rat s a “suicidal ot ” to b us d i cas t k is 
compromis d or lost [ 4], rt’ us rs do ot d to tak a pr tio 
m asur s for t is circumsta c . 

I cas t k of a is c a g d, isti g c rtificat s must b discard d, 

a d t must r issu all t c rtificat s. t r s st ms d to otif t is 

t to us rs a d r qu st old c rtificat s i ord r to r -c rtif t ir k sad 
distribut t c rtificat s. I rt’ , a k ps t c rtificat s of its 

us rs i a local databas oft K ,adtriso dtosd c rtificat s 
a d otif t i alidatio of t pr ious o s. o s qu tl , t c a g of t 

k is tra spar t to us rs. 

suall , t d to c ck s for c rtificat r ocatio s b com sap rfor- 

ma c a dicap. or t is r aso , s st ms t at us s or similar m c a isms 
( .g., -li rtificat tatus rotocol [ 5], or uicidal ur aus [ 4]) to i - 

alidat c rtificat s i corporat solutio s to mi imi t umb r of acc ss s 

d d to rif a c rtificat , but t s solutio s ar som tim s artificial a d 

ot fRci t. r for , a oidi g t us of s as b co sid r d o of t 

priorit goals it d sig of rt’ 

I ord r to ac i a d sig t at do s ot pos t probl ms of usi g s 

il still r tai i g t ir b fits, all t i formatio r lat d to t c rtificatio 
of a sp dfic us r must b locat dad ma ag d at t corr spo di g K .1 

cas a d cid s to r cord c rtificat i alidatio ts, a I In li in 

( I ) ca b ma ag d locall . otic t at a I is compl t 1 diff r t to 
a b caus t I ill b us d clusi 1 b t 

aus rc rtificat ds to b i alidat d (b caus is/ rk as b 
lost or compromis d, or b caus t as r aso s to c as c rtif i g t us r) 

t simpl d 1 t s t c rtificat from its databas a d, if appropriat , stor s 

t r ok d c rtificat i a I . is proc dur is simpl , imm diat , r quir s 
o commu icatio a d ca pro id proofs of t c rtificat r ocatio s i cas 
t ds t os proofs. 

c t r ocatio tak s plac , isti g acti c rtificat s ar ot us ful 
a mor b caus o ill b issu d to mak t m alid. us of t 

pr ts attacks bas d o old c rtificat r us . 

s r I i c i 

d sig i g a k ma ag m t s st m t at ac i s s cur us r id tifica- 
tio it is c ssar to tak i to accou t t diff r c b t t r al orld 

( r p opl , compa i s a d comput rsar),adt Itr t orld ( r 
am s, k s a d c rtificat s ar ). 

It must b poi t d out t at ma of t id tit c rtificat s pr s tl us d 
b ma sc m s ar bas d clusi 1 i a co tact, t roug Itr t, b t 

t us r a d t . is is cl arl u satisfactor b caus t r qu st r of a 

c rtificat ill usuall r quir som guara t of t li k b t t id tit 
of t us r i t r al orld a d is am it I t r t orld. r for , i 

t s c rtificat s, trust is misi t rpr t d from t start. 
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d sig of rt’ guara t s t at a ill o 1 c rtif t k s of 
t os us rs clos d to it. r for , a formal id tit rificatio proc dur as 
b stablis d to gi a 1 gal m a i g to c rtificatio proc ss [ 6]. o s - 
qu tl , a li k is stablis d b t t id tit docum ts ( alid it r al 
orld), a disti guis d am it I t r t orld (t -mail addr ss) a d a 
cr ptograp ic k . 

It as b d scrib do rt’ us s t -mail addr ss s to id tif us rs. 
r ar t o commo criticisms about t us of -mail addr ss s as disti - 

guis d am s. irstl , it is claim d t at t r latio s ip b t a p rso i 

t r al orld a d a 1 ctro ic mail addr ss is ot o -to-o b caus a us r 

ca a s ral -mail accou ts a d diff r t alias s. sid s, t r ar c r- 

tai -mail addr ss s t at do ot r pr s t a si gl us r but a group of t m. 

CO dl , it is also claim d t at, i som cas s, t alias fil ca b modifi d 

it out admi istrator or root p rmissio s. rt’ as b d sig d to o r- 
com t s probl ms b isolati g t c rtificatio ma ag m t from t mail 

accou t ma ag m t. 

4 r r cc ss r c 1 

I t is s ctio i troduc t protocol t at d scrib s o bot , i di idual 
us rs a d ot r k s r rs, acc ss a K . co ctio to t port 5 is 

us d for rt’ s r ic . r qu sts ar r pr s t d i a li t/ r r sc a- 

rio, r i di idual us rs or k s r rs ca pla t cli t rol ; for i sta c , 
CO sid r a r qu st from us r & b@r.s. (cli t) to t K locat d at r.s. (s r- 
r), folio d b a r qu st from t K locat d at r.s. ( o cli t) to t 

K locat d at . . (s r r). I t subs qu t d scriptio ill b us d to 

d ot a g ric cli tad to d ot a g ric s r r. 



r c 

ill us t folio i g data structur s as part of t protocol: 
li n I : Id tificatio of t cli t. 

s rl : -mail addr ss ( it format n @ in ) of t us r 

os k (c rtificat ) is r qu st d. rt’ us s t in to d t r- 

mi i ic K t k r sid s. 

r : .5 9 3 c rtificat co tai i g amo g ot r i formatio : t us r 

id tificatio ( qui al t to s rl ), t us r’s public k , a c rtificat 

s rial umb r t at is u iqu for t issui g a d t p ct d acti it 
p riod lif of t c rtificat . is r cord is k pt i t K databas , so 
t r ’s o d to produc it o li . 

s : tim stamp stat m t co tai i g a c rtificat s rial umb r, a d t 

tim of issua c of t is s , sig d b t . It is us d to guara t 
t at t c rtificat it t at s rial umb r as ot r ok d at t tim of 
issua c . pposit to t r t is r cord is produc d o li . 
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r I : rtificat id tificatio co sisti got s rl oft addr ss 

us r a d t c rtificat s rial umb r of t acti c rtificat to b c ck d. 

n k : gati ack o 1 dg m t. It guara t statt ris ok associa- 

t d to t s rl r qu st d. 



r c scrip i 

protocol is structur d i t r p as s: co ctio , tra sactio a d t rmi- 
atio . 



c i s 

CO ctio is stablis d it t folio i g m ssag : 

: H [ cli tl ] 

r li n I is optio al, d p di g o t particular K s curit 
polic to b impl m t d. 

ac ca s t r strictio s to limit t us rs or comput rs alio d to 

acc sst sr r. asr rrci stism ssag , it c cks t r or ot 
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Abstract. This paper introduces a method for modelling Public Key 
Infrastructures (PKIs). This method is referred to as 3PPM Method (Three 
Part PKI Model Method). The resulting models are referred to as 3PPMs. 
3PPMs are based on the Unified Modelling Language (UML). The 3PPM 
Method can be used in an early stage of PKI setup. It provides for an easy way 
to obtain a model that can be used as a basis for further planning, training and 
documentation. The 3PPM method has already been used in practice by the 
author of this document. 



1 Introduction 

The conception and the setup of Public Key Infrastructures (PKIs) can be regarded as 
one of the main issues in the field of computer security today. Before the set up of a 
PKI starts, it is important to develop a sophisticated model, which visualises the main 
PKI components and procedures. With a well-designed model it is easier to prepare 
the PKI setup, to estimate costs and to avoid misunderstandings. The scope of this 
paper is to introduce a method for modelling PKIs. This technique is referred to as 
3PPM Method (Three Part PKI Model Method), the resulting models are named 
3PPMs. 3PPMs are based on the Unified Modelling Language (UML). The 3PPM 
Method has already been used in practice by the author, who has two years of 
practical experience in the PKI area. 



2 A PKI Set Up Procedure 

For the set up of a PKI an appropriate set up procedure has to be found. According to 

the author’s experience the following procedure can be applied: 

• Modelling of the PKI: In the first step a PKI model should be developed according 
to the operators requirements. This model should be based on a requirement 
analysis and can be used for all future work. 

• Product evaluation and basic tests: Before the PKI installation has started, some 
basic tests can be performed. This is the second step of the set up procedure. 

• Pilot: The third step is a pilot, where a small user group works with a test PKI. 
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• PKI roll-out with one application: When the pilot is completed, the company-wide 
roll-out of the PKI can start. It is recommended to start with only one application 
(for example e-mail signatures and encryption ). 

• Adding applications: When the PKI works with the first application, other 
applications can be added. 

This procedure has many advantages in practice. The experience made in a certain 
step can be used directly in the next one. Mistakes detected in a step can be avoided in 
the next one. It is important to note that PKI modelling is the first step in this 
procedure. It is virtually impossible to understand a PKI or to exchange any thoughts 
about it without an appropriate model. How such a model can be developed with the 
3PPM Method, is described in this paper. 



3 Basic PKI Units 

The 3PPM Method for PKI modelling uses the terms component, role and use case. 

These terms are defined in this chapter. 

3.1 Components 

A component is a basic unit of a PKI. A component consists of hardware and/or 

software, typically it is one computer running a certain software. Typical PKI 

components are the following: 

• Certification Authority: This component is the core part of a PKI. It is responsible 
for generating and signing certificates. 

• Certificate Server: The Certificate Server is a directory server, which provides 
certificates to the user. The user can connect to the Certificate Server for obtaining 
certificates or for checking the status of a certificate. For the latter revocation lists 
can be used. 

• Timestamp Server: This component creates timestamps, which are needed to 
connect a digital signature to the time when it was created. A Timestamp Server is 
not a compulsory component of a PKI, but it makes a PKI more secure. In many 
cases, the Timestamp Server is omitted in the beginning. 

• Local Registration Authority: This component is responsible for accepting 
certification requests and for giving them to the Certification Authority. 

• Revocation Service: This component is necessary for accepting revocation 
requests. 

• User Components: These are the components used by the PKI user for signing, 
encrypting and interacting with the central PKI components. Examples for this are 
E-Mail crypto programs, crypto enabled Web Browsers, hardware crypto 
components and the like. 

• Personal Security Environment (PSE): This component is used by the user to store 
his private keys. It can be a file on a hard disk or floppy disk, or a smart card. 

In any case, a component is a machine. A person is not considered a component. 
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3.2 Roles 

Apart from hard and software, humans play a role in a PKI. A PKI is operated, 
administered and used by humans. For this reason, roles are defined. A role is a set of 
rights and responsibilties that is connected to one or several persons. One person can 
have several roles, each role can be carried out by one or more persons. 

The roles that have to be determined for a PKI are pretty much dependent on the 
PKI products used. Typical roles are the following: 

• PKI Planner: This is the chief of the whole PKI environment. The PKI Planner 
commands all other roles, but he is not responsible for administration or routine 
tasks. 

• CA Administrator: This role administers the Certification Authority. A CA 
Administrator is responsible for certificate generation and certificate revocation. 

• Certificate Server Administrator: This role administers the certificate server. 

• LRA Administrator: This role is responsible for a Local Registration Authority. 

• User: The PKI user is considered a role, too. 

Usually there are several people connected to one role (for example if two CA 
Administrators are needed). 



3.3 Use Cases 

Apart from persons and machines, processes play an important role in a PKI. For this 

purpose, use cases are introduced. A use case (sometimes also referred to as a 

business process) is a process that appears repeatedly inside a productive organisation. 

Usually the following use cases appear in a PKI: 

• User Registration: This use case needs to be carried out to register a user for 
obtaining a certificate. 

• Certificate Generation: This use case is carried out to generate a key pair for the 
user and to create a certificate around it. This use case is necessary after the user 
has been registered. 

• Certificate Revocation: A certificate has to be revoked, when it shall not be used 
any more. The revocation of a certificate is a use case. 

• Certificate Server Inquiry: This use case is carried out, when a user wants to access 
the Certificate Server to obtain a certificate or certificate status information. 

• Timestamp Inquiry: This use case is carried out, when a user needs a timestamp 
from the Timestamp Service. 

Additional use case may be defined for certificate renewal, CA key change, 

information distribution and other procedures. 
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Fig. 1. The components of a typical PKI shown in a component diagram. Central 
components are the Revocation Service, the Certificate Server and Certification 
Authority. Each user works with a User Component and a Personal Security 
Environment (PSE) respectively 



4 Identification of Components, Roles and Use Cases 

The first step of the 3PPM Method is the determination of components, roles and use 
cases. There is no algorithm for finding components, rolls or use cases, so it is more a 
question of experience and creativity. The following subchapters give some 
guidelines. 



4.1 Determining Components 

To determine PKI components, it must be decided, which kind of components will be 
used and how many of each are needed. A Certificate Authority is always necessary, 
unless certificate generation is outsourced. In a large PKI, several Certificate Servers 
and Timestamp Servers can be used. It goes without saying that each user should have 
his own User Component and his own PSE. 

Complex PKIs may also include more than one Certification Authorities. Eor 
example, hierarchies of Certification Authorities may occur. In this case, there is one 
Certification Authority issuing certificates for other Certification Authorities, which 
themselves may certify subordinate Certification Authorities or users. Another option 
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is a cross certification. In this case there are two Certification Authorities certifying 
each other respectively. In any case, each Certification Authority is a component. 

Local Registration Authorities are another kind of component, which may appear 
more than once in a PKI. If a high degree of security shall be reached, each user 
should be required to show up personally at a Registration Authority, which means 
that at each location of an organisation a Local Registration Authority should be 
reachable. On the other hand, one central Registration Authority is sufficient, if 
personal registration is not required. In any case, each Registration Authority is a 
component. 

Of course, it must also be determined, what kind of components are used by the 
user. This means that the functionality of the user client must be defined. Usually, the 
user uses tools for mail encryption and file encryption. Special clients for securing 
WWW connections or SAP R/ 3 transactions are also possible. 




Administrator Administrator 



Fig. 2. A Use Case/Role Diagram showing two Use Cases and three Roles 



4.2 Determining Roles 

It is clear that user roles have to be defined. For the central part of the PKI usually all 
the roles mentioned in chapter have to be introduced. The whole PKI operation and 
PKI construction should be managed by a Site Planner. For a Certification Authority 
and for a Certificate Server administration roles have to be defined. Of course, 
administration roles must be adjusted to the software used, but all major PKI software 
systems support administration roles. The user role must also be determined: It must 
be clear, which members of an organisation may act as users and which other persons 
(e.g. customers) are accepted. 

Additionally, it must be determined, how many people carry out a role. Privileged 
roles should always be carried out by more than one person in order to make sure that 
there is always a person with privileged permissions available. 
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4.3 Determining Use Cases 

The use cases appearing in a PKI are usually always the same (see chaper ), so it is not 
difficult to identify them. The more critical part is to determine how exactly they look 
like. This is pretty much dependent on the security policy and on the IT infrastructure 
of the organisation setting up the PKI. 
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Fig. 3. A PKI Use Case modelled with a sequence diagram 



A crucial part of a PKI set up is the determination of the use case Registration and 
Key Generation. It must be clear, whether a user must show up personally at a 
Registration Authority to register for a certificate or if an e-mail registration is 
sufficient. It is also important to know, whether users generate their keys themselves 
or whether a centralised key generation is applied. 



5 Developing A Three Part PKI Model 

The second step of the 3PPM Method is the development of the model itself. The 
model consists of three parts, each part is identified with a certain kind of diagram. 
Which diagrams are used is described in the following subchapters. 



5.1 Component Diagram 

The first part of the model is a component diagram. A component diagram contains 
all the components of a PKI. For a better understanding, some of the roles can be 
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included, too. The units interacting with each other are connected with a line. Figure 
shows an example for a component diagram. 



5.2 Use Case/Role Diagram 

The second part of a 3PPM is a Use Case/Role Diagram. In this diagram every use 
case is modelled with an ellipse, every roll is modelled with a symbol for a person. 
Figure shows an example for a Use Case/Roll Diagram. Each role is connected to the 
use cases in which it is involved. 



5.3 Sequence Diagram 

The third part of a 3PPM is a Sequence Diagram. A sequence diagram lists 
components and roles in a table, communication actions are modelled with arrows. An 
example for a sequence diagram is shown in figure. 

Sequence diagrams should be used to model the more complicated use cases. To 
get a sequence diagram for a use case, all communication actions must be found, they 
are modelled with arrows. On each arrow a description of the data transported is 
written. If an action takes place with only one component or role involved, the arrow 
points to the place where it starts. 

Not all use cases have to be modelled with a sequence diagram. For the less 
complicated use cases a text description is usually sufficient. According to the 
author’s experience, the use cases for user registration and certificate generation 
should be modelled with a sequence diagram. For all others this is not necessary. 



6 Benefits of the 3PPM Method 

The 3PPM Method enables the development of PKI models, which are easy to 
understand, even for people not knowing this technique. On the other hand, this 
method is powerful enough to get a model that covers all of the main PKI issues. 

The 3PPM Method has already been used in practice. The author has used in 
several PKI projects to develop a model for a company planning a PKI set up. Such a 
model can be used to discuss PKI details and it is a part of the specification. Most of 
all, a sophisticated but simple model enables the detection of problems and mistakes 
in an early stage of the set up project. 



7 Summary 

This paper has introduced a method for modelling Public Key Infrastructures. This 
method, referred to as 3PPM Method, is based on the Unified Modelling Language 
(UML). To understand this method, the concept of components, roles and use cases 
has to be understood. The method consists of two steps: In the first step, components, 
roles and use cases are determined. In the second step, the model itself is developed. 
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The benefit of this method is that all major aspects of a PKI can be modelled with it. It 
is easy to develop a 3PPM and it can be used easily in all later stages of the PKI set 
up. 
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Many vendors are claiming that their products are “open” and “inter-operable”. 
This paper is intended to explore what this could mean, and in reality what is 
available in the market place, highlighting any issues found by the author. 



1 Introduction 

Public Key Infrastructure (PKI) offers a method of protecting an enterprise’s 
electronic communications using public key cryptography. Because PKI is an 
“infrastructure”, it is usually necessary to obtain board-level approval for funding or 
to find some sponsor in the enterprise. As this is sometime difficult to justify local 
business units are implementing secure solutions, that just happen to be PKI based. 
As a result of this situation PKI Islands are developing. 

PKI Islands have the advantage of allowing an enterprise to seed PKI throughout 
its business without the need to undergo the turmoil of a "big bang" - an approach 
sometimes termed “PKI by Stealth”. However, at some stage an enterprise will need 
to connect the Islands together and also secure its communications with trading 
partners. If inter-operability issues have been ignored at the design stage, problems 
will almost certainly emerge later. 

This paper summarises some of the technical issues of making various PKI 
components inter-operate (or why they cannot operate with each other!). Entegrity 
Solutions have defined an Inter-operability Model which is used within the company 
to examine areas of product deficiency and product enhancements providing 
additional flexibility. 



2 Inter-operability Model 

Whist the PKIX have defined a Certificate and CRL profile, one has not been 
produced for all elements of a PKI. The intent of the Model is to assist in formulating 
such profiles. Following a summary of the model the paper summaries some of our 
experiences in achieving interoperability. 

The major elements that the Interoperability Model covers are summarized in the 
following paragraphs. 
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• Key Generation. Three basic key generation schemes are possible: Centralized at 
the CA, at the EE Client or to have Split Keys. In this last case one set of keys are 
generated at the EE for a particular set of purposes and another set generated at the 
CA. 

• Encapsulation protocol. If the public key is generated at the EE then a means of 
securely sending the public key and receiving back the certificate is required. 
Eour main encapsulation protocols are (or will be soon) available from products. 
These protocols are PKCS#10-PKCS#7, Verisign’s CRS, PKIX CMP and PKIX 
CMC.. 

• Transport. The encapsulation protocols provide message protection. However they 
still have to be transported around the network. Whilst web-based http is clearly 
the natural (and dominant) technique, it is actually quite complicated partly due to 
the authentication issue (see below). Ai those with Internet issued certificates will 
be aware, obtaining them for a Web Browser is a painful multi-step process, 
involving a number of Web dialogues plus an e-mail transaction. Because it is a 
manual, user driven process, most Web Browsers can interact quite successfully 
with CAs. However dealing with other applications illustrates the point that in 
general PKI-enabled applications are not well integrated with CAs. 

• Authentication. There are two basic schemes involved in authenticating the owner 
of a public key prior to its certification. In the case of class 1 VeriSign certificates, 
no real authentication is actually performed. Therefore anyone could claim a false 
identity and obtain a certificate issued in that name. This is not the case though for 
higher grade certificates, such as VeriSign class 3 certificates. The authentication 
schemes generally available are: 

- Manual approval at the CA 

- Automated approval at the CA using some type of “secret value” look-up 

- Centralized Token issuing with pre-authorization information. 

• Token/PSE Format. There is no widely deployed standard that currently defines 
the format and contents of the PSE. Currently a new standard is being drafted 
with the intention of defining the PSE for Smart Cards - this is PKCS#15. 

• Token Plug and Play. When using physical cryptographic tokens the emerging 
dominant API standard is PKCS#11. Most smart card vendors and high-end 
cryptographic accelerators support PKCS#11. PKCS#1I defines an API to add, 
modify and use cryptographic keys on the Token. The intention being for a PKI 
application supporting PKCS#11 to plug in any PKCS#11 Token. In reality it’s 
not quite that simple. 

• Publication/Retrieval protocol. The market leader in this area is the LDAP 
protocol. The version of LDAP most widely used at present is version 2 
(LDAPv2), but increasingly LDAPv3 server products are appearing. 

• Publication Protection. Certificates and CRTs are self-protecting objects, and 
therefore the connection for publishing them on the LDAP server, at first sight, 
does not seem to require protection. However as the connection requires “write 
access” to the server, it is important to control access to limit those network entities 
that can write to the server. The techniques used to protect this connection, include 
SSL. 
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• Schema. Publishing the PKI Information on the LDAP Server requires the server 
to be configured with defined X.500 attributes and object classes. X.500 defines 
the required attributes, such as userCertificate. However the object classes, as 
originally defined, are not suitable for PKI deployment. PKIX has defined new 
Schema object classes that solve the original problems. 

• OCSP. CRLs are not the only mechanism available to determine whether a 
certificate is still valid and has not been revoked. A new standard and technology 
called On-line Certificate Status Protocol (OCSP) is being developed. Another 
technology called Certificate Revocation Trees (CRT), offered by Valicert, is yet 
another certificate revocation mechanisms. All 3 mechanism have different 
characteristics, and each one has its benefits and problems. 

• Certificate. A Certificate is a very complicated structure and can contain many 
optional fields. A X.509 v3 certificate can have, none, one or more extensions 
fields. A number of standard extensions are defined by ISO/IETF - but it is also 
possible for various industry groupings to define their own extensions. Given the 
complexity and richness of the Certificate together with its various optional fields, 
inter-operability manifests itself as a problem. Therefore one aspect of the PKIX 
working group has been to develop a certificate profile to increase the probability 
of inter-operability of systems using PKIX conformant certificates. This is defined 
in RFC2459. 

• CRT RFC2459 also contains a profile for CRLs based on the ITU-T X.509 CRT 
version 2 standard. 

• Cross-certification In some topologies there is a requirement for peer CAs to 
certify each other’s public keys and then publish them in the form of cross- 
certificates. Cross-certification can take be performed either manually or 
automatically. 



3 Our Experiences of Interoperability 

Entegrity Solutions are focused on delivering Secure Applications based on the 
Entegrity Secured Application Platform™ working within many different CA vendor 
environments, our CA Partners include CyberTrust, VeriSign and IBM. Our intent is 
to be inter-operable in as many PKI environments as possible, both the infrastructure 
and the PKI-enabled applications. This paper concentrates on our experiences of 
interoperability testing with many different CA vendors, but also touches upon other 
areas. 



3.1 Certificate and Certificate Path processing 

In general all Certificates from the main CA vendors seem to be well constructed and 
can be decoded. However note that there are some aspects that could rise to inter- 
operability issues: 

• Some Cas do not have the ability to support RFC-822 names in the X.509v3 
alternate name extension. What is quite common is to use the “EA= “ attribute in 
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the DN rather than a RFC-822 Alt Name. This can give rise to problems to some 
secure e-mail packages expecting the Alternative Name extension (or vice versa) 

• Some times you do see non-standard OID encoding in the DN (e.g. 
OID.2.5.4.5=123 ). This technique is also sometimes used to carry RFCS-822 
names in the DN 

• Obviously private extensions in a X.509v3 certificates can give rise to problems, 
especially if they are marked critical (which fortunately is rare). The biggest 
culprit in this area is Microsoft. 

• The Key Usage, Basic Constraints and Subject KeylD extensions are now widely 
used, although some older products do not support these features. 

• There seems to be wide variety concerning the Authority KeylD extension. It is 
either not used, or either the hash or issuer name method is used. It’s not clear 
whether all EE PKI-Enabled s/w can cope this variety. 

We have found that using our technology Certificate chain validation is not a 

problem. All CA vendor products we have tested successfully pass our tests. 



3.2 ASN.l Encoding problems 

Given that ASN.l is such a rich standard with various encoding rules, but yet its 
frequently specified partially in English, its not surprising that ambiguities or 
implementation problems manifest themselves. Surprisingly they do not appear in 
encoding X.509 certificates. Recently we have discovered two problems with 
products in other areas. 

• If you send a S/MIME-PKCS#7 message to a well known web browser/e-mail 
client that has a mixed BER/DER encoding it crashes (although earlier versions 
handled it OK) 

• If a PKCS#10 certificate request is sent to a well know CA product that has any 
BER encoding then it can not parse the request 

This illustrates the point that not all PKI based products, whether Infrastructure 
components or PKI-enabled applications, can cope with the vagaries of a full ASN. 1 
implementation. Some products only expect DER encoding. 



3.3 LDAP 

In theory LDAPv3 is a superset of LDAPv2 and hence any LDAPv2 client (for 
instance a secure e-mail client) should be able to retrieve certificates and CRLS from 
a LDAPv3 server. In reality this is not true. Eetching certificates/CRLs means that 
they need to be transferred as binary objects. LDAPv3 states that the LDAP client, 
when requesting a binary object, needs to specify the “;binary” key word with the 
name of the attribute being fetched. 

Publishing to a LDAP server is also problematic, although in the main it is an easy 
problem to resolve. The original definition of the PKI attributes, such as 
userCertificate meant that the user’s LDAP entry and this attribute be created in one 
atomic operation. To get around this problem CA vendors defined new object classes 
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that permitted all CA information being written to the LDAP server was optional. 
Until recently all products had their own definitions and names for these object 
classes, although in general they were very similar. Recently PKIX has standardized 
on 2 new object classes pkiUser and pkiCA. This approach demands that the LDAP 
server can be configured with these new object classes. 



3.4 Certification Requests 

The prevalent certification model deployed is that of using a communication of Web 

and e-mail. The steps one would take being similar to the following: 

• User would browse to the CA’s web page 

• An option on the page would be to generate a key pair and request a certificate. 
Prior to this the user will be prompted to enter personal information used for both 
identity authentication and creation of the certificate. 

• Selection of this option would cause a http message to be sent to the browser that 
triggers a key pair to be generated and the public key sent back to the CA (usually 
in the form of a PKCS#10 request). The browser being triggered to perform these 
functions by specific mime types in the http message. 

• The CA would respond with a message saying that the certification request is being 
processed and that e-mail will be sent on how to pick up the certificate. Typically 
a request number and password will be provided (or defined by the user). 

• When the certificate has been generated, instigated either via a manual or 
automatic approval process e-mail is sent to the user. 

• The user then goes to the “pick up certificate” web page and requests the 
certificate, entering authentication information as appropriate. A http message is 
sent to the browser and because the http message has a particular mime type it 
causes the browser to “swallow” the certificate and place it in the appropriate 
certificate store 

On-line certification outside a browser environment is not as well specified. 

Whilst most CA products permit this approach all the CA products have different 

methods to achieve it. Different MIME types are used by the CA products and 

various techniques for parameter passing. 



3.5 PKCS#11 

Whilst PKCS#11 was created a number of years ago it is only recently that Smart 
Card and High Security Module (HSM) suppliers have started to release PKCS#11 
based device drivers. Because there is no recognised conformance test suite, in our 
experience, the quality of the implementations in general are not that good. 



3.6 PKCS#12 

PKCS#12 is a useful mechanism to transfer information between different PKI 
components - e.g. from transferring EE information from a RA/CA into the EE’s PSE. 
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However not all RA/CA products can create PKCS#12 files containing the full 
certificate path. That is they can only populate it with a key pair and the user 
certificate. If a RA/CA has this limitation then it not possible to create a EE PSE in a 
single step as the trusted certificate, and any other subordinate CA certificates would 
have to be loaded via other means. 



4 Conclusions 

Certificate and Certificate Path processing becoming are becoming “trivial” and there 
is wide spread inter-operability between PKI products. 

However there are some immediate problem areas that need to be addressed: 

• Tighter CA and EE integration and standardisation, in particular in the area of on- 
line certification not using browsers 

• More robust and compliant PKCS#1 1 implementations 

• Standardized PSE/Token formats (soft and hard) 

An area that more work is required on is that of the new generation of PKIX CMP 
and CMC management protocols. To date there are very few products that support 
these, therefore limited interoperability work has been accomplished. What 
interoperability problems there are will become evident by the beginning of next year 
as products supporting these protocols are released into the market. 
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Abstract. Mobile networks have become a very attractive channel for the pro- 
vision of electronic services, as they are available almost anytime and any- 
where. But for a service provider, there are several mobile communication stan- 
dards to choose from. They differ in market penetration, flexibility, and secu- 
rity. 

This paper gives a comparative overview of the security features of GSM, 
SIM Application Toolkit and WAP (Wireless Application Protocol). It de- 
scribes the trust relations involved, and gives examples of typical applications 
suitable for each of these standards. 

Results are that pure GSM is suitable only for applications with low sensitiv- 
ity, as the security features are limited. SIM Toolkit allows for the implementa- 
tion of application-specific end-to-end security, and is thus suitable for sensi- 
tive, personalized applications like banking ore brokerage. Finally, WAP de- 
fines a security standard with choices for differently strong algorithms. In order 
to be suitable for secure applications, the models for local storage have to be 
settled, and there must be sufficiently many WAP phones with support for 
strong security on the market. 



1 Introduction 

Mobile networks have become a very attractive channel for the provision of electronic 
services: They are available almost anytime, anywhere, and user acceptance of mobile 
devices is high. As a result, there is a strongly increasing amount of services offered 
through mobile networks. They range from simple information services to sensitive 
applications like hanking or electronic commerce. 

As a related development, standards for mobile applications are maturing, and new 
standards are being defined. This leads to a set of possible technologies a service pro- 
vider can choose from. They differ in depth of standardization, market penetration, 
flexibility and security. 

This paper focuses on the security features of GSM, SIM Application Toolkit and 
WAP (Wireless Application Protocol). It compares the security-related properties and 
the trust relations involved, and gives examples of typical applications suitable for 
each of the standards. 
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2 GSM 

GSM (“Global System for Mobile Communications” or “Groupe Speciale Mobile”) is 
a standard for digital mobile telephony, defined by the European Telecommunications 
Standards Institute (ETSI). The first GSM services were started around 1992. Today, 
this standard is used globally in more than 300 networks operating in more than 100 
countries. 

A basic design requirement of GSM was security of communication. The following 
paragraphs describe the security mechanisms employed, the implicit trust relations, 
and the suitable types of application for the given security features. 



2.1 Security Features 

GSM offers confidentiality, subscriber authentication, and subscriber identity confi- 
dentiality [2, 5]. The security mechanisms are only defined for the air interface, i.e., 
security of transport through fixed networks behind the base stations is left to the net- 
work providers. The security mechanisms are applied to all traffic, including short 
messages. 

Key Infrastructure: GSM Security is based on subscriber-individual symmetric 
keys shared between the home network and each SIM card (subscriber identity mod- 
ule). More precisely, there is one key k. of 128 bit length per IMSI (International Mo- 
bile Subscriber Identity). The SIMs are initialized with the ks during personalization. 
The individual subscriber keys are usually not transmitted over the network, but used 
in a challenge-response protocol for authentication and key agreement. 

Authentication: In an initial phase of a communication, the network sends a random 
challenge RAND of 128 bit length to the end device. The device computes a 32 bit 
response SRES = A3(k-, RAND), where A3 is an authentication algorithm implemented 
in the SIM and the network. SRES is sent back, and the network compares the received 
SRES with the expected value 

Encryption: The symmetric encryption key k^ is derived using the same parameters 
k, and RAND which have been used for authentication; k^ = A8(k., RAND), where A8 is 
again implemented in the SIM and the network. The actual data encryption is done 
using the stream cipher A5, which is implemented in the end device (not the SIM) and 
the network. The maximum effective length of is 64 bit. 

Subscriber Identity Confidentiality: The objective of subscriber identity confidenti- 
ality is to conceal the IMSI during normal operation by the use of temporary IDs 
(TMSI), such that an attacker cannot easily figure out who is participating in a con- 
nection. 

As described above, the algorithms for authentication and key generation (A3 and 
A8) are implemented in the SIMs and the home networks. If the user is outside the 
home network, the visited network can request sets of corresponding triples (RAND, 
SRES, kj from the home network. This allows the visited network to communicate 
with the handset without gaining access to A3 and A8. 
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As the SIMs and their contents (including A3 and A8) are controlled by the respec- 
tive networks, this structure leaves room for national and business policy enforcement. 
A5, on the other hand, has to be supported by all networks and end devices in order to 
interoperate properly. 

Although the algorithms are not published officially, one widely employed imple- 
mentation of A3/A8 called COMP128 and a compatible algorithm to A5 have been 
published [9, 12]. COMP128 has been shown to leak k^, and attacks against an algo- 
rithm similar to A5 have been published in [10]. Further publications on A5 are ex- 
pected in the near future. This has lead to some uncertainty with regard to the actual 
strength of encryption and authentication of productive GSM networks. 



2.2 Trust Relations 

Users and service providers relying on the GSM security have to trust the network 
providers in the following aspects: 

• They have to trust all network providers involved in the communication, regarding 
privacy of information and keying material, and 

• the home network provider, regarding proper choice of algorithms A3/A8. 



2.3 Area of Application 

Given the security infrastructure described above, “pure” GSM should only be used 
for applications with low sensitivity, like public information services. Examples for 
such services include: 

• General information (e.g., weather forecasts, sports results) 

• Cell broadcast (e.g., nearest restaurant) 

• Non-sensitive personalized financial information (e.g., stock information according 
to a customer’s profile) 

Sensitive applications like account statements or financial transactions should employ 
additional security mechanisms, as described in the following sections. 



3 SIM Application Toolkit 

The SIM Application Toolkit is a GSM specification which defines an interface be- 
tween GSM handsets and subscriber identity modules (SIMs) [8]. As described in the 
previous section, SIMs are smart cards which carry information related to the sub- 
scriber and the GSM provider, like individual secret keys, algorithms for key genera- 
tion and authentication, and the subscriber’s address book. 

The SIM Application Toolkit allows applications stored on the SIM to communi- 
cate through the handset with the user and the network. In other words, applications on 
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the SIM can use the handset as I/O device with the help of the SIM Application Tool- 
kit. For example, applications can define simple menu structures which set up calls to 
service numbers, but they can also be used to add security data communication via 
GSM. More specifically, the SIM Application Toolkit [8] includes the following 
functionality: 

• Display text and menus 

• Receive input from the keypad 

• Send and receive short messages 

• Set up calls 

• Communicate with a secondary smart card (for dual-slot handsets) 

Although a SIM Toolkit application can be any kind of application running on a 
given SIM, there are standardization efforts underway within ETSI to define an appli- 
cation programming interface for higher-level languages (SIM API). The goal is to 
have a framework where a SIM application can access SIM Toolkit features through a 
standardized API for each relevant programming language. The general framework is 
specified in [3], and specific Java bindings are given in [4]. A similar specification for 
Virtual Basic is under consideration. 

Apart from defining an interface to SIM Toolkit, the SIM API also comprises 
functions for access to GSM files on the SIM and low-Ievel functionality, such that an 
applet can act as the basic GSM application towards the handset. 

These standardization efforts lead to a simplified development of SIM Toolkit Ap- 
plications. A Java programmer can use the standardized interfaces to develop an app- 
let for a Java SIM card which interacts with the external world through SIM Applica- 
tion Toolkit, without dependencies of the specific platform. 



3.4 Security Features 

SIM applications have access to incoming short messages, and can send short mes- 
sages by themselves. Hence, they can be used to add encryption and authentication to 
short messages. There are no limitations to the security mechanisms employed, except 
those imposed by the technical limits of the SIM. 

In contrast to basic GSM security, SIM Application Toolkit allows for an end-to- 
end-security between the subscriber and a service (content) provider, such that mes- 
sages can be encrypted, for example, between a SIM and a banking server. This makes 
security independent of limitations of the GSM algorithms. 

There are SIMs capable of RSA computations available, such that RSA-based pub- 
lic-key systems can be used directly on the SIM. Alternatively, implementations of 
elliptic curve cryptography can be used. But since most GSM providers currently do 
not use cards suitable for public key systems, most of today’s applications are secured 
by symmetric algorithms. 

Short message formats including security features are defined in [6]. The specifica- 
tion covers encryption, authentication, redundancy checks, counter management, and 
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proof of reception handling. For this purpose, it defines a header to he included in 
protected short messages. Currently, identifiers for DBS and triple DBS (two or three 
keys) are specified for encryption as well as for message authentication. 

In addition, there are identifiers defined for proprietary algorithms and for algo- 
rithms known implicitly by sender and receiver. This allows for the application of 
arbitrary algorithms. Bor key agreement, there are four bits to indicate one of several 
keys (separately for encryption and message authentication). The actual keys have to 
be agreed upon through a channel outside the scope of the specification. 

There are different possibilities for key distribution, which can also be combined: 

• Hardcoded keys which are stored on the card during personalization 

• Distribution of keys over the air, using a transport key for security 

• User input of key material (complete keys or seed) 

The selection of an appropriate scheme depends on the required flexibility of the 
application and on the security requirements. For example, distribution over the air is 
useful for key rollover, and user input of key material can be used to establish a shared 
secret between the SIM and the application server, thus taking the network provider 
out of the loop. 

If a dual-slot handset is used, the SIM Toolkit Application can make use of a sec- 
ondary cryptographic smart card. This is a useful feature if, for example, users already 
have a standardized signature card. The SIM application can then coordinate the dis- 
play of data to be signed, PIN input and the actual signature generation on the secon- 
dary card. 



3.5 Trust Relations 

Although SIM Application Toolkit allows for an end-to-end security, the GSM pro- 
vider is still involved in the trust relations because it usually owns the SIM. All data 
put on the SIM, including applications and keys, is in principal under the control of the 
network provider. 

This control can be tight, where the network provider actually puts applications and 
secret keys on the card, or loose, where the provider gives download keys to the serv- 
ice provider. 

The communication parties have to trust the network provider and the card manu- 
facturer in that they do not misuse or leak the (potential) knowledge of information 
stored on the SIM. A lower level of trust is necessary when the application allows for 
entering additional keying material shared between the end-user and the service pro- 
vider. In any case, there is no trust necessary concerning intermediate networks, as is 
the case for pure GSM security. 
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3.6 Area of Application 

SIM Application Toolkit is most suitable for sensitive, personalized services, such as 
banking and brokerage. Security mechanisms can be agreed upon individually per 
application, and the SIM is a very suitable storage device for secret application keys. 

One basic application useful as building block for many solutions is a signature ap- 
plication. In such an application, the SIM contains a private signing key and some 
application logic which controls the signature process. It receives short messages 
which contain the document to be signed, displays the content to the user, and gener- 
ates a signature on user demand. The signatures can then be sent back to the source of 
the document, or to a different recipient. This way, the handset becomes a general- 
purpose and highly secure signature device. The signature process can be triggered by 
any kind of external application, like a Web application or a brokerage system driven 
by stock trading events. 



4 Wireless Application Protocol (WAP) 

WAP [13] is a protocol stack for mobile environments which enables services similar 
to the Internet, in particular the WWW. The stack is based on a bearer like SMS mes- 
saging or GPRS (General Packet Radio Service). Further layers include transport, 
security, session and application layers. The application layer defines a markup lan- 
guage called WML which is interpreted in a browser on the client side. 

WAP is being defined by the WAP Forum, an industry group comprising handset 
manufacturers, wireless service providers, infrastructure providers, and software de- 
velopers. The WAP specification was released in its first version in April 1998. Since 
then most cellular vendors have been active to develop network components and ter- 
minals for WAP. The first services were shown in early 1999. 



4.7 Security Features 

The security layer protocol in the WAP architecture is called Wireless Transport 
Layer Security, WTLS [15]. The primary goal of the WTLS layer is to provide pri- 
vacy, data integrity and authentication between two communicating applications. 
WTLS provides functionality similar to TLS 1.0 [1], but it is optimized for low- 
bandwidth bearer networks with relatively high latency. Differences to TLS include 
specifications for elliptic curve cryptography, small-sized digital certificates, opti- 
mized handshake and dynamic key refreshing. 

Like TLS, WTLS defines a set of cipher suites, including weak and strong ones. 
The cipher suite for a connection is agreed upon during an initial handshake phase. 
Key exchange ciphers include RSA, Diffie-Hellmann, and EC-Diffie-Hellmann, all 
with different key lengths and partly without authentication. It is also possible to start 
from a shared secret (established on a different channel), such that no public key 
cryptography needs to be used. For bulk encryption, the algorithms RC5, DES, triple 
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DBS and IDEA are defined, each with different effective key lengths in order to cover 
export control requirements. For symmetric message authentication, WTLS specifies 
keyed MACs based on SHA-1(160 bit key) and MD5 (128 bit key). 

For the storage and usage of key material and related personal information, WAP 
defines a WIM (WAP Identity Module) [14]. A WIM can be in principle any kind of 
module, but the standard notes explicitly the possibilities to include a WIM application 
in the SIM or to use an external smart card. 

The functionality of the WIM is to support the WTLS protocol, but also to provide 
application level functionality. For WTLS, it can perform such functions as generation 
of random numbers, storage and usage of private and public keys, and computation of 
the various symmetric keys. Functionality offered to applications includes unwrapping 
of symmetric keys with the help of a securely stored private key, and signing of 
hashes. These operations can be called from WAP applications through WMLScript (a 
scripting language similar to lavaScript), or by applications external to WAP. 

Security-related data is stored according to PKCS#15 [11]. This allows non-WAP 
applications to have a standardized access to the keys. It is thus conceivable that a user 
uses the same smart card for authentication in WAP with WTLS, and in the Internet 
using SSL or TLS. 



4.8 Trust Relations 

The trust relations in WAP depend on the position of the WAP server in the network 
architecture: It can either be hosted by the network provider or directly by the applica- 
tion service provider. In the first case, all parties have to trust the network provider, as 
the WAP server is one endpoint of the security relation. In the second case, informa- 
tion is transmitted securely between the user and the service provider, such that the 
network provider has no access to the data. 

In contrast to SAT, the network provider has only limited or no control of the ap- 
plications the user is accessing. This shifts additional responsibility onto the users: 
They have to assure themselves that the application they use really is what they intend 
to use. As a prerequisite, it is necessary that CA certificates stored in the end device or 
the WIM for server authentication are correct and trustworthy. 

When a SIM is to be used as WIM, the different trust models of SAT and WAP 
start to interfere. In SAT, the SIM is used by applications which are known and trusted 
by the card issuer, while in WAP, the applications are trusted by the user (and not 
necessarily by the card issuer). By the time of writing, the exact models as to which 
extent SIMs are opened up to WAP applications are not completely sorted out. 
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Table 1. Comparison of security algorithms and key lengths 
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4.9 Area of Application 

WAP is currently suited best for non-personalized information services which do no 
require strong client authentication, as models for local storage of key material and 
other personalized information are not yet completely settled. If there are end-devices 
with support for strong security in the market, sensitive data can be transported via 
WAP. 

It has to be noted that secure WAP applications require a more security-aware and 
educated user than in the case of SIM toolkit, as there is no pre-evaluation of applica- 
tions by the network provider, and the users have to verify the authenticity of the serv- 
ers by themselves. 



5 Summary 

For applications over GSM-based mobile networks, there are currently three imple- 
mentation alternatives: Using standard GSM mechanisms, implementing an applica- 
tion on the SIM using the SIM Application Toolkit, or using the Wireless Application 
Protocol (WAP). There is no single best choice among the services: Pure GSM offers 
only limited security, but has the least restrictions concerning capabilities of the hand- 
sets. SIM Toolkit allows for the implementation of application-specific end-to-end 
security, but it is restricted to handsets capable of SIM Toolkit. Furthermore, SIM 
applications can be used only by those subscribers who have got suitable SIMs from 
their GSM providers. 



* For WAP WTLS, authentication is achieved through a combination of the asymmetric algo- 
rithms and keyed hashes. The mechanisms for anonymous key exchange are not mentioned in 
this table. 
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Finally, WAP defines a security standard with choices for differently strong algo- 
rithms. Compared to SIM toolkit, it is much more standardized on the application and 
transport security level, such that any WAP browser can basically connect to any 
WAP server (provided they can agree on a common cipher suite). In order to be suit- 
able for secure applications, the models for local storage of key material have to be 
settled upon, and there must be sufficiently many WAP phones with support for strong 
security on the market. 

Table 1 gives an overview of the algorithms and key lengths specified for the three 
standards under consideration. 
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Abstract. In this paper a mechanism for securing sensitive MAP messages 
between network elements belonging to different network operators is 
described. The mechanism is currently under discussion in the security group of 
the Third Generation Partnership Project, a joint project of ETSI and Japanese, 
American, Korean and Chinese standardisation bodies working on the security 
specifications for UMTS. The proposed mechanism provides confidentiality, 
authenticity and integrity of the messages exchanged; however, there may be 
messages where no confidentiality or no protection at all is needed. Therefore, 
three levels of protection have been defined that are applied to the various MAP 
messages according to their sensitivity. 



1. Introduction 

The security of the global Signaling System No. 7 (SS7) network as a transport 
system for sensitive signaling messages between different telecommunication 
network elements is open to major compromise. Messages can be eavesdropped, 
altered, injected or deleted in an uncontrolled manner. For example, in mobile phone 
networks based on the GSM (Global System for Mobile Communication) standard, 
particularly sensitive authentication data of mobile subscribers have to be transported 
from the Authentication Centre (AuC) to the Visitor Location Register (VLR)* in 
order to authenticate the subscriber. 

For the first phases of the third generation mobile system UMTS (Universal 
Mobile Telecommunications System), a similar approach is foreseen. Transportation 
of the data will be done via the MAP (Mobile Application Part) protocol [3], a 
mobile-phone specific application protocol of the SS7 protocol stack (cf. [4], chapter 



* For an overview of security-related signaling of GSM and similar systems, see e.g. [1], 
chapter 7; more specific information can he found in [2]. 
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\ 1 )? If an intruder succeeds in eavesdropping these sensitive data, serious 
impersonation attacks or eavesdropping of user traffic on the air interface may result 
(cf. section 2). In addition, there are several other sensitive MAP messages. Although 
no attack of this kind has been reported for GSM networks to date, it is intended for 
UMTS to protect against these kind of attacks to achieve a constantly increased 
security level. 

Therefore, in this document a mechanism for securing sensitive MAP messages 
between network elements is described. The mechanism is currently under discussion 
in the security group of 3GPP (Third Generation Partnership Project), a joint project 
of ETSI and Japanese, American, Korean and Chinese standardisation bodies working 
on the security specifications for UMTS. 

The proposed mechanism provides confidentiality, authenticity and integrity of the 
messages exchanged; however, there may be messages where no confidentiality or no 
protection at all is needed. Therefore, three levels of protection have been defined that 
are applied to the various MAP messages according to their sensitivity: Protection 
mode 0 is identical to the original MAP message in cleartext and thus provides no 
protection, while protection mode 1 provides integrity and authenticity, and protection 
mode 2 provides confidentiality, integrity and authenticity of MAP messages. 



2. The Main Threat: Compromise of Authentication Data 

In mobile phone networks using a similar approach for authenticating the user as the 
GSM network, authentication data can get compromised, either during its transport 
between the home environment and the serving network, or by unauthorised access to 
databases. This can lead to various, serious attacks including the following: 

Forcing use of a compromised cipher key 

The intruder obtains a sample of authentication data and uses it to convince the user 
that he is connected to a proper serving network, and forces the use of a compromised 
cipher key. The intruder may force the repeated use of the same authentication data to 
ensure the same encryption key will be used for many calls. This leads to continuous 
eavesdropping. 

Impersonating the user 

The intruder obtains a sample of authentication data and uses it to impersonate a user 
towards the serving network. 

Although no attacks of this kind have been reported for second generation mobile 
networks to date, the security level for third generation mobile systems will be 
increased. The security improvements comprise the access as well as the core 
networks [5]. The present paper concentrates on the core network security features 
"Entity Authentication", "Data Confidentiality" and "Data Integrity" as defined in [6], 



^ Note however that there are plans to have an alternative all IP based network solution for 
UMTS with the Release ’00. In this case, an equivalent to the MAP protocol will handle the 
security related information exchange. Clearly, the mechanisms presented by this document 
will hold accordingly. 
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section 5.2. In order to provide these features, a mechanism how to effectively protect 
authentication and other sensitive signaling data transmitted between network nodes 
of one operator (internal use) or between network nodes of different operators 
(external use) is proposed. 



3. Overview of Mechanism 

The proposed mechanism consists of three layers. 



3.1 Layer I 

Layer I is a secret key transport mechanism based on an asymmetric^ crypto-system 
and is aimed at agreeing on a symmetric session key for each direction of 
communication between two networks X and Y. The party wishing to send sensitive 
data initiates the mechanism and chooses the symmetric session key it wishes to use 
for sending the data to the other party. The other party may choose a symmetric 
session key of its own, used for sending data in the other direction. The symmetric 
session keys are protected by asymmetric techniques. They are exchanged between 
certain newly defined elements called the Key Administration Centres (KAC) of the 
network operators X and Y. The format of the Layer I transmissions is based on 
ISO/IEC 11770-3: Key Management - Mechanisms using Asymmetric Techniques 
[7]."* It is proposed that public keys will be exchanged between a pair of network 
operators when setting up their roaming agreement.^ In this case no general Public 
Key Infrastructure (PKI) is required. For the transmission of the messages, no special 
assumptions regarding the transport protocol are made, a possible example would be 
IP. 



3.2 Layer II 

In Layer II the agreed symmetric session keys for sending and receiving data are 
distributed by the KACs in each network to the relevant network elements. For 
example, an AuC will normally send sensitive authentication data to VLRs belonging 
to other networks and will therefore get a session key for sending from its KAC. 
Layer II is carried out entirely inside one operator's network. However, it is clear that 
the distribution of the symmetric keys to the network elements must be carried out in 
a secure way, as not to compromise the whole system. 



^ For UMTS a large number of network operators is expected. In this case key transport 
mechanisms based on asymmetric algorithms offer advantages regarding key management. 
Therefore, we propose to use an asymmetric scheme in Layer I. 

For a general overview of key transport mechanisms based on asymmetric techniques, see 
chapter 12.5 of [8]. 

^ In general a Public Key Infrastructure is required to handle public keys and the appropriate 
certificates. 
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3.3 Layer III 

Layer III uses the distributed symmetric keys for securely exchanging sensitive data 
between the network elements of one operator (internal use) or different operators 
(external use) by means of a symmetric encryption algorithm. The encrypted (resp. 
authenticity/integrity-protected) messages will be transported via the MAP protocol. 



3.4 General Overview 

Figure 1 may help to clarify the proposal by providing an overview of the whole 
mechanism. Note that the messages are not fully specified in this figure. Rather, only 
the "essential" parts of the messages are given. More details on the format of the 
messages in the single layers will be provided in subsequent chapters. 




4. Layer I Message Format 

Layer I describes the communication between two newly defined network entities 
belonging to different networks, the so-called Key Administration Centres (KAC). 
We do not make any assumptions about the protocols to be used for this 
communications, although IP might be the most likely candidate. 



4.1 Properties and Tasks of Key Administration Centres 

It is assumed that there is only one KAC per network operator. As will become 
evident from the following, KACs are needed to perform the following tasks: 



^ For details on the abbreviations, see the appendix. 
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• Generation and storage of its own asymmetric key pairs (different key pairs 
used for signing/verifying and encrypting/decrypting) 

• Storage of public key pairs of KACs of other network operators 

• Generation and storage of symmetric session keys for sending/receiving 
sensitive information to network entities of other networks 

• Secure distribution of symmetric session keys to network entities in the same 
network. 

Due to these sensitive tasks, a KAC has to be physically secured. 



4.2 Transport of Session Keys 

The transport of session keys in Layer I is based on asymmetric cryptographic 
techniques (cf. [8]). 

In what follows, it is assumed that the involved networks have exchanged their 
respective public keys in course of a roaming agreement. Therefore, no public key 
certificates are needed. 

In order to establish a symmetric session key with version no. i to be used for 
sending data from X to Y, KAC^ sends a message containing the following data to 
KAC^: 

E {X||Y||i||KS,,(i)||RNDjTextl|| 

DsK,x,(Hash(X||Y||i||KS,,(i)||RNDjTextl))||Text2)||Text3 

The reasons for this message format are as follows: 

• Encrypting the message with the public key of the receiving network Y (used 
for encrypting) provides message confidentiality, while decrypting the message 
body with the private key of the sending network X (used for signing) provides 
message integrity and authenticity. 

• X includes RND^ to make sure that the message contents contains some 
random data before signing. 

The symmetric session keys KSxy(i) should be periodically updated by this process, 
thereby moving on to KSxy(i+l). Eor each new session key KS^y the version no. i is 
incremented by one. 

After having successfully decrypted the key transport message and having verified 
the digital signature of the sending network including the hash value and having 
checked the received i the receiving network starts Layer II activities. 

If anything goes wrong, e.g. computing the hash value of 
X||Y||i||KSxY(i)||RND^||Textl does not yield the expected result, a RESEND message 
should be sent by Y to X in the form 



RESEND||Y||X 



Y shall reject messages with i smaller or equal than the currently used i. 
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After having successfully distributed the symmetric session key received by 
network X to its network entities, network Y sends to X a KEY_DIST_COMPLETE 
Message. This is an indication to KAC^ to start with the distribution of the key to its 
own entities, which can then start to use the key immediately. The message takes the 
form 

KEY_DIST_COMPLETE||Y||X||i||RNDY|| 

D 3 ^„,(Hash(KEY_DIST_COMPLETE||Y||X||i||RNDy) 

where i indicates the distributed key and RND^ is a random number generated by Y. 
Network Y includes RND^ to make sure that the message contents determined by X 
will be modified before signing. The digital signature is appended for integrity and 
authenticity purposes. 



5. Layer II Message Format 

In Layer II symmetric session keys (to encrypt/decrypt data before sending/after 
receiving) are distributed by the KACs in each network to the relevant network 
elements. Eor example, an AuC^ will normally send sensitive authentication data to 
VERy and will therefore get a session key KS^y from its KAC^. Layer II is carried out 
entirely inside one operator’s network. 

However, in order to achieve a more consistent overall scheme, in this section it is 
suggested to use for Layer II the same mechanism for distributing the keys as in Layer 
I. This requires the KACs of the different networks to generate and distribute 
asymmetric key pairs for the network elements of that network. These key pairs will 
then be used to transfer the symmetric session keys in the same way as in Layer 1. 

The public and private key pairs needed for the network entities should be 
distributed to the entities in a secure way, which is in principle an operation & 
maintenance task. One way to do this is to distribute the key pairs, along with the 
necessary crypto-software, to the network entities in the form of chipcards, which can 
also carry out the necessary computations. Therefore, all that has to be added to the 
present network entities are chipcard readers with a standardised interface. Thus, on 
adoption of this proposal, in addition to their present tasks, the network entities would 
have to: 

• Store the symmetric session keys to encrypt/decrypt data before sending/after 
receiving to/from network entities of other networks (external) and of their own 
network (internal) 

• Encrypt/decrypt MAP messages according to their mode of protection (see 
section 4). The necessary computations may be carried out by chipcards. 

In addition to their tasks listed in section 3.1, the KACs would have to: 

• Generate and store asymmetric key pairs for network entities in the same 
network 

• Distribute asymmetric key pairs to network entities in the same network. 
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The Layer II messages themselves take the same form as in section 2, where the 
’receiving network Y’ has to be replaced by ’receiving network entity NE^’ (or X by 
NE^). Further, the Key Distribution Complete message is not needed in Layer II. 

In order to ensure that no network element starts enciphering with a key that not all 
potentially corresponding network elements have received yet, the following 
approach is suggested: 

The distribution of the session keys KS^y in network X having initiated the Layer I 
message exchange should not begin before the Key Distribution Complete Message 
from the receiving network Y has been received by the KAC^ in Layer I. As soon as a 
network element of X has received a session key KS^y, it may start enciphering with 
this key. 

A similar statement holds if the transported keys are used internally only: In this 
case, all network elements of X should get the symmetric session key KS^x to be used 
internal for encryption (marked with flag RECEIVED) first; if all network elements 
have acknowledged that they have recovered these keys, the KAC^ sends the same 
key again (marked with flag SEND). Again, as soon as a network element has 
received the session key KS^x (marked with flag SEND), it may start enciphering with 
this key. 

This results in the message format described in the following. 

As for layer I, no assumptions about the transport protocol are made, although IP 
might be a good candidate. 



5.1 Sending a Session Key for Decryption 

In order to transport a symmetric session key (marked with flag RECEIVE) with 
version no. i to be used to decrypt received data from network elements of network X 
in NEy, KACy sends a message containing the following data to NEy: 

E,x„eY,{X||NEY||RECEIVE||i||KSxY«l|RNDY||Textl|| 

D,x(Y,(Hash(X||NEY||RECEIVE||i||KSxY(i)||RNDY||Textl))||Text2}||Text3 

After having successfully decrypted the key transport message and having verified 
the digital signature of the sending network including the hash value, the receiving 
network entity sends a key installed message to its Key Administration Centre KACy. 
The message takes the form: 

KEY_INSTALLED||X||NEY||RNDY||i 

This message can only be sent by the receiving network entity, because only this 
entity can know about RNDy. If anything goes wrong, e.g. computing the hash value 
of X||NEY||RECEIVE||i||KSxY(i)||RNDY||Textl does not yield the expected result, a 
RESEND message should be sent by NEy KACy in the form 

RESEND||NEy 
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In order to transport a symmetric SEND key with version no. i to be used for sending 
data from NE^ to network elements of network Y, KAC^ sends a message containing 
the following data to NE^: 

EpK,«Hx.{NEjY||SEND||i||KS,,(i)||RNDjTextl|| 

D,^,^,(Hash(NE^||Y||SEND||i||KS^y(i)||RND^||Textl))||Text2}||Text3 



6. Layer III Message Format 



6.1 General Structure of Layer III Messages 



Layer 111 messages are transported via the MAP protocol, that means, they form the 
payload of a MAP message after the original MAP message header. Eor Layer III 
messages, three levels of protection (or protection modes) are defined providing the 
following security features: 



Protection mode 0: no protection 

Protection mode 1 : integrity, authenticity 

Protection mode 2: confidentiality, integrity, authenticity 



Layer III messages consists of a security header and the Layer III message body. 
Depending on the protection mode Layer III message bodies are protected by a 
symmetric encryption algorithm, using the symmetric session keys that were 
distributed in layer II. Layer III Messages have the following structure: 



Security Header 



Layer III Message Body 



In all three protection modes, the security header is transmitted in cleartext. It shall 
comprise the following information: 



• Protection mode 

• Other security parameters (if required, e.g. IV, version no. of key used, 
encryption algorithm identifier, mode of operation of encryption algorithm, 
etc.) 



Both parts of the Layer III messages, security header and message body, will 
become part of the "new" MAP message body. Therefore, the complete "new" MAP 
messages take the following form: 



MAP Message 


MAP Message 


Header 


Body 



Layer III Message 

< > 



MAP Message 


Security 


Layer III Message 


Header 


Header 


Body 
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Like the security header, the MAP message header is transmitted in cleartext. In 
protection mode 2 providing confidentiality, the Layer III message body is essentially 
the encrypted "old" MAP message body. For integrity and authenticity, an encrypted 
hash value calculated on the concatenation of MAP message header, security header 
and the "old" MAP message body in cleartext is included in the Layer III message 
body in protection modes 1 and 2. In protection mode 0 no protection is offered, 
therefore the Layer III message body is identical to the "old" MAP message body in 
cleartext in this case. 

In the following subchapters, the contents of the Layer III message body for the 
different protection modes will be specified in greater detail. 



6.2 Format of Layer III Message Body 

6.2.1 Protection Mode 0 

Protection mode 0 offers no protection at all. Therefore, the Layer III message body 
in protection mode 0 is identical to the original MAP message body in cleartext. 

6.2.2 Protection Mode 1 

The message body of Layer III messages in protection mode 1 takes the following 
form: 

Cleartext||TVP|| 

E,^g^Y(^(Hash(MAP Header|| Security Header||Cleartext||TVP)) 

where "Cleartext" is the message body of the original MAP message in clear. 

Authentication of origin is achieved by encrypting the hash value of the cleartext 
by a symmetric encryption algorithm, since only a network element knowing KS^yCi)’ 
can encrypt in this way. Message integrity and validation is achieved by hashing and 
encrypting the cleartext. 

Note that protection mode 1 is compatible to the present MAP protocol, since 
everything appended to the cleartext may be ignored by a receiver incapable of 
decrypting. 

6.2.3 Protection Mode 2 

The Layer III message body in protection mode 2 takes the following form: 

EK 3 XYm(Cleartext||TVP||Hash(MAP Header||Security Header||Cleartext||TVP)) 

where "Cleartext" is the message body of the original MAP message in clear. 

Message confidentiality is achieved by encrypting with the symmetric session key. 
This also provides for authentication of origin, since only a network element knowing 
KSxyCi) can encrypt in this way. Message integrity and validation is achieved by 
hashing the cleartext. TVP is a random number that avoids traceability.* 



^ The case X=Y, i.e. only one key for sending and receiving, corresponds to internal use inside 
network X. 

* By using a TVP as timestamp (perhaps derived from an overall present master time) replay 
attacks could be avoided. 






Secure Transport of Authentication Data in Third Generation Mobile Phone Networks 

7. Discussion 



151 



7.1 Mapping of MAP Messages and Modes of Protection 

It is proposed that each network operator should be able to assign the mode of 
protection of each MAP message in order to adapt the level of protection according to 
its own security policy. 



7.2 Some possible problems 

In protection mode 2, the original MAP message body will be encrypted in order to 
achieve confidentiality. For integrity and authenticity, an encrypted hash value 
calculated on the MAP message header and body in cleartext (i.e. the original MAP 
message) is appended to the messages in protection mode 1 and 2. All protection 
modes need a security header to be added. 

When implementing these changes, care has to be taken that the maximum length 
of a MAP message (approx. 250 byte) is not exceeded by the protected MAP 
messages of Layer III, otherwise substantial changes to the underlying SS7 protocol 
levels (TCAP and SCCP) would have to be made. 
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Appendix: Abbreviations and Proposed Key Lengths 



The following abbreviations are used in this paper: 



AuC 

DsK(x,(data) 

^KSXY (i)(data) 

EpK,x)(data) 

ETSI 

GSM 

Hash(data) 

IV 

KACx 

KS^(i) 

KS,,(i) 

ml||m2 

MAP 

NE^ 

RND^ 

SCCP 

SS7 

TCAP 

Textl 

Text2 

Text3 

TVP 
UMTS 
VLR 
X, Y 



Authentication Centre 

Decryption of "data" with secret key of X (used for signing) 

Encryption of "data" with symmetric session key #i for 

sending data from X toY 

Encryption of "data" with public key of X 

European Telecommunications Standards Institute 

Global System for Mobile Communication 

The result of applying a collision-resistant one-way hash- 

function to "data" 

Initialisation Vector 

Key Administration Centre of network X 

Symmetric session key #i for sending data within network X 

Symmetric session key #i for sending data from X to Y 

Concatenation of message ml and m2 

Mobile Application Part 

Network Element of network X 

Unpredictable random value generated by X 

Signaling Connection Control Part 

Signaling System No. 7 

Transaction Capabilities Applications Part 

Optional data field 

Optional data field 

Public key algorithm identifier and public key version number 
(eventually included in a public key certificate) 

Time Variant Parameter 

Universal Mobile Telecommunications System 
Visitor Location Register 
Network identifier 



The following parameter lengths are proposed: 

TVP 64 bit 

RND 128 bit 

X,Y 32 bit 

Hash(data) 160 bit 

Public Key 2048 bit 

Secret Key 2048 bit 

KS^, KS^ 128 bit 
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atel as large as N, a, d if t e deer pti g e po e t d is less ta N ^ te te 

od 1 s fV ca e factored e a i i g t e co ti ed fractio appro i atio 
ofe/N. is folio s eca se e a d d satisf t e relatio s iped— fcA(iV)= . o 
letti g X{N) = {p— ){q— )/g, a d s = — p — q e a e t at 

edg — kN = g + ks. ( ) 

i idi g ot sides dgN gi es 

e k g + ks k s 

N dg dgN dg N dN 

o si g t e ass ptio t at e TV, a d t at s fV / ea s (fro e - 

a i i g eq atio ) t at k/{dg) so t at t e rig t- a d side of t e a o e 

eq atio is appro i atel N~ / . It is ell k o (see for i sta ce [H ]) t at 
if 

X — a/b < / (26 ) 

t e a/b is a co ti ed fractio appro i a t of x. s if N~ ! < /{2{dg) ) 

t e k/{dg) ill e a co ti ed fractio appro i a t of e/N. is is tr e e- 

e er 

d < 2- / ( /g)N ! , (2) 

a d g ill e s all der t e ass ptio t at \{N) N {i o g clearl g 2 

si ce ot p a d q are odd), i e dg o e a calc late 

r = {p- ){q- ) = ^ - T = edg/k (si ce g is s all), 

k k 

a d t e e ca factor TV si ce t e factors p a d q satisf t e q adratic relati- 
o s ip X — {N + — r)x + N = . 
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u ’s ppr c 

e approac take i o [ ] ass es t at o e as ore t a o e for a 
gi e a d t at eac of t ese as a relati el s all di. o o 1 co siders 
t e pro le for 2 a d 3 e cr ptio e po e ts. or 2 e po e ts e a e t e 
folio i g relatio s: 

e d g-k {p- ){q- )=g 
e d g-k {p- ){q- ) = g, 

so Itipl i g t e first A: , t e seco d fc , a d s tracti g gi es 

kde— kde=k— k. (3) 

i idi g o ot sides of eq atio 3 k d e i plies t e folio i g 

e k d k — k 

e k d kde' 

a d ass i g t at t e (a d e ce if t e Cj are large) are at ost iV“ ea s 
t at t e rig t- a d side is a o t N~^ 

or t e fractio k d /{k d) to eaco ti ed fractio appro i a tofe /e , 
e st t erefore a e t at 



2{k d) <N 

ad it t e ass ptio s t at fc add are at ost N°" a d t at (/ is s all 

t is CO ditio ill e tr e e e er a = /3 — e for so e e > . 

Ho e er, like t e sit atio it ie er’s attack, t e fractio fed /{k d ) 

does ot reak t e cr ptos ste for t o reaso s: 

irstl k o i g, sa , t e erator k d , does ot alio s to fi d d or fc 

it o t factor! g t is er. 

eco dl t ere a e a factor i co o et ee d fc a d d fc i ic 
case t e CO ti ed fractio et od o Id ot gi e a fractio it erator 

k d a d de o i ator fed, t rat er t e fractio it t e co o factor 

re o ed. 

o ass es t at t e seco d pro le does ot e ist, i.e. t at e a e 

gcd{k d ,k d ) = , a d it is esti ated t at t is appe s it pro a ilit 
G/tt .6 . 

o get aro d t e first pro le , os ggests t at o e co Id eit er tr to 

factor k d (a erofsieaotA^ / ad ott picall of a ard factorisatio 

s ape), or alter ati el ass et ato e as a ot er e cr pti g e po e t e it 

d < N / . e (repeat! g t e a o e proced re it e a d e ) o e ca also 

fi d fc d , a d calc lati g gcd(fc d ,k d ) ill opef 11 (if gcd(/c ,k)= ) gi e 

d a d t s alio t e factor! g of e pro a ilit of t is attack orki g 

der t e gi e ass ptio s is (G/tt ) .23. 
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.3 r i ur t si ppr c 



s alread said i t e i trod ctio , o r approac also ass es t at e a e 

ore t a o e for a gi e a d t at eac of t ese ei as a relati el s all 

di . 

I t e re ai der e ill se, a o g ot ers, ideas fro ot ie er a d o 

to sol e t e ge eral pro le of reaki g i t e prese ce of n e cr pti g e - 

po e ts 6i, all it relati el s all di < i = ,n. e ai tec iq e 

sed i deri i g t ese res Its is t e creatio ads seq e t red ctio of certai 
lattices. e approac take s, o e er, ca c rre tl o 1 e classed as a 

e ristic et od eca se, alt o g t e ectors e searc for ca e s o to 

e relati el s ort, e ca ot pro e et t at t e are i deed a o g t e s ortest 
ectors (a d e ce o d to e fo d lattice asis red ctio algorit s). e- 

ert eless, i sectio 4 it is s o t at o r approac perfor s ell i practice, 

a d t at t e folio i g t eoreticall deri ed o ds are freq e tl ac ie ed. I 

partic lar, i t e prese ce of n e cr pti ge po e ts e^, o r approac alio s for 
t e di to e as large as ere 



( n ) "-( n ) („/ ) 

!("-)"(" ) (n/ ) 

CX.JI — 

I ( » )"-»(„-"/) 

( " ” ( n-~ / ) 



if n is e e , 



if n is odd. 



e first fe (fro n = ) start /4, 5/ 4, 2/5, 5/34, 29/62. I sectio 3.5 it 

is s o t at On as n 

If t e algorit (see [ ]) is sed i order to red ce t e lattices 

deri i g o r approac , a d t e (pessi istic) esti ate for its co pie it of 

0{m log B) is ass ed (gi e a lattice of di e sio m it largest or B), 

t e t e CO pie it of o r et od is 0(2 "n log N),a, d so clearl t e attack 

is o 1 practical for s all n. 



3 ts trsc 11 

cr pt p ts 

3. r li i ri s 

I e te di g t e a al sis to n e cr pti g e po e ts Ci ( it s all deer pti g 
e po e ts di), e se ot ie er’s a d o’s ideas, es all refer to relatio s 
of t e for 



digci — kiN = g + kiS 

as ie er eq atio s, a d e s all de ote t e 14/ (see eq atio for a e a - 
pie) . i ilarl e s all refer to relatio s of t e for 



kj^djGj kjd'iG'i — A^i kj 
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as o eq atio s, a d s all de ote t e Gij (see eq atio 3 for a e a pie). 

e s all also ass e, for a gi e n, t at t e a d ki are at ost fV“" , t at g 

is s all, a d t at s is aro d . otice t at t e rig t- a d sides of Wi a d 

Gij are t erefore q ite s all; i fact at ost ^ a d fV“" respect! el . 
i all e ofte refer to co posite relatio s, e.g. W^Gy^^, i ic case e 

ea t e relatio , ose left- a d (resp. rig t- a d) side is t e prod ct of t e 

left- a d (resp. rig t- a d) sides of Wy a d Gy^w or e a pie, WyGy^w ic 
as a relati el s all rig t- a d side, o ded i si e / '> . 

Ite folio i g a al sis e e a i e t e cases of 2, 3 a d 4 e po e ts efore 

ge eralisi g t e approac to n e po e ts. is is do e ot to gi e e plicit 

e a pies of t e approac e i t e prese ce of a s all er of e po e ts, 
a d also eca se it is ot til t e prese ce of 4 e po e ts t at t e ge eral 
p e o e o eco es clear. e relatio s t at e c oose for t e cases of 2, 3 
a d 4 e po e ts a see “pi eked fro t e air” , 1 1 e patter is ade clear 

i sectio 3.5. 

3. i t r s c 11 cr pti p ts 

ss i g t at e a e t o s all deer ptio e po e ts, t e t e folio i g re- 
latio s old: W ,G ^ ,W W \ OY ore e plicitl : 

d ge — kN = g + ks, 
k d e — k d e = k — k , 

d d g e e — dgkeN — dgkeN + kkN = {g + k s){g + k s). 

Itipl i g t e first of t ese k ea s t at t e left- a d sides are all i ter s 

ofddg,dgk,dgk,adkk,ad ece e a rite t ese eq atio s i 
t e atri for elo . 

{k k ,d gk ,d gk ,d d g ) —N N 

e —e—eN _ 
e —eN 
e e 

{k k ,k {g+k s),g{k —k ),{g + k s){g + k s). 

e si e of t e e tries of t e ector o t e rig t- a d side are at ost , 

/ '> “ , A^“ , a d Af “ respect! el . ese si e esti ates a e ade 

ro g 1 eq i ale t Itipl i g t e first t ree col s of t e atri N, 

M=N^,adM=N “ respect! el , ic gi es t e folio i g atri : 

N -M N N 

_ Me —M e —e N 
^ ^ M e -e N 

e e 

I t is case t e ector b={kk,dgk,dgk,ddg) ill esc t at 

bL <2N “ . 
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e st o ake t e ass ptio t at, i t e lattice ge erated t e ro s 
of L , t e s ortest ector as le gt A ! ere A := det(L ) ^ , 

a d oreo er t at t e e t s ortest li earl i depe de t ector as a sig id- 
ea tl larger or t a t e s ortest ector i L . 1 deed, if t e lattice L is 

prett “ra do ”, t ere are al ost s rel o lattice poi ts of L sig idea tl 

s orter t a t e i ko ski o d 2A ! . U der t ese ass ptio s, t e hL is 

t e s ortest ector i t e lattice if 

N “ < ( /c ) iV( / ) “ ' 

for so e s all c , ic is tr e if 

a < 5/ 4 — e . 

is i plies t at t e ector b = {b ,b ,b ,b ) ca, e fo d ia lattice asis 
red ctio algorit s (e.g. )ifa <5/4 — e,adte d g/k =b jb ca 
e calc lated, ic leads to t e factor! g of as s o i sectio 2. . 

3.3 it r s c 3 11 cr pti p ts 

is et od e te ds easil to 3 e cr pti g e po e ts. e o a e t e q a - 

tities ,e,e,ee,e,ee adeee fro ic to for li ear relatio s ips, 
ad e alread a e relatio s ips co cer i g t e drst fo r of t ese fro t e 2 

e po e t case, a el , 4E , G , a dW W . or t e re ai i g relatio s ips 

e c oose G ^ , W G ^ , W G ^ a d W W W . ese relatio s i pi looki g 

for t e ector 

b={kkk,dgkk,kdgk,ddgk, 
k k d g,k d g,k d g,d d d g ), 

red ci g t e ro s of t e folio i g lattice: 



-N N 




-N 


e —e—eN —e 


e N 


e N 


e —eN 


e N 


e N 


e e 


—e e —e e 


—eeN 


e 


-e N -e N 


e N 




e e 


—eeN 




e e 


—eeN 



e e e 

ere D is t e diago al atri 

diag(A^ / , iV, iV( / ) “ , iV / , / ) “ , iV ° ,N “ , ) 
sed to a i ise t e deter i a t of L ad still keep 

bL < . 
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gai , si g t e ass ptio s t at t e s ortest ector i t e lattice ge erated 

t ero sofL as le gt det(L )( ! a d is also sig ifica tl s orter t a 

t e e t s ortest li earl i depe de t ector i L , ea s t at 6L ill e t e 
s ortest ector i t e lattice L if 

/ ) “ < ( /c ) (IV “ ' 

for so e s all c ic is tr e if 

a <2/5-e. 

si g agai t e first t o co po e ts of &, as i t e 2 e po e t case, o e a 

o factor t e od 1 s as s o i sectio 2. . 



3. i t r s c 11 cr pti p ts 

I t e prese ce of 4 e po e ts e ca o se li ear relatio s ips a o g t e 
q a tities ,e,e,ee,e,ee,ee,eee,e,ee,ee,ee,eee,eee, 
eeeadeeee. s efore e alread a e li ear relatio s ips for t e first 
alf of t ese q a tities fro tea al sis i t e prese ce of 3 eq atio s. or 
t e re ai i g q a tities e se t e relatio 

WWG,,WWG^,WWG^ n dW WWW . tti g t ese relatio s i 
atri for , a d Itipl i g t e col s appropriate factors to ake all 
t e relatio s of si e at ost N “ , res Its i a 6 6 atri , L , ic as 

deter i a t ^ . e ector b e are o looki g for is 

b={kkkk,dgkkk,kdgkk,ddgkk, 

kkdgk,dkdgk,kddgk,dddgk, 
k k k d g,d k k d g ,k d k d g ,k k d d g , 
ddkdg,dkddg,kdddg,ddddg). 

erefore, agai aki g t e sa e ass ptio s as efore, i plies t at t e ector 

bL is t e s ortest ector i t e lattice ge erated t e ro s of L if 

N ^ <{ /c) ' 

for so e s all c , a d t is is tr e if 

a < 5/34- e. 

Usi g agai t e first t o co po e ts of 6, as i t e 2 a d 3 e po e t case, o e 

a agai factor te odlsA^asso i sectio 2. . 
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3. r 1 ppr c 

e to space li itatio s e defer t e s tie co p tatio oft e ge eral alio a le 
odotedi e eaenecr pti g e po e ts Cj, t = , . . . , n, to t e 
appe di a d s o elo si pi t e grap for 




ig. . rap of o ds for n 



4 r ct c 1 s Its 

It o g or et od is at t e c rre t ti e o 1 e ristic, it orks ell i 

practice as ca e see fro ore peri e tal res Its elo . 

r i pie e tatio ses t e li rar [ ] of ictor op. i i gs are 

gi e for a 3 H K6 r i g der i 
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p r 1 s 

e ajor ope pro le raised o r ork is t e folio i g. o ork o t t e 
a agea le o d o a„ for t e secret e po e ts e ad to ake toe ristic 
ass ptio s CO cer i g “ra do ” lattices, s t e e peri e tal res Its stro gl 
s pport t e deri ed o ds it is at ral to ask et er o r attack ca e t r ed 

i to a rigoro s t core ? 

r c s 
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PP 

e o ork o t t e ge eral o do t e di e e aenecrptig 
e po e ts. e reader is e co raged to refer ack to t e pre io s sectio s ( e 
n = 2, 3 a d 4) as e a pies. 

i e t at t ere are ne po e ts e^, t e t ere are 2” differe tq a titles, /ij, 
i ol i g t e Ci’s, a d t e prod ct of all of t ese (ass i g e fV) is " \ 
is ea s t at o e CO siders a diago al atri , of di e sio 2”, a d 

t at t e deter i a t of t is atri , efore Itipl i g t e ro s to i crease t e 

alio a le o d, is iV^” ” 
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e last relatio W W . . . W„ as a rig t- a d side of at ost , 

a d t s e i crease t e rig t- a d side of all t e ot er relatio s p to t is 

o d, aki g t e desired ector 6 s c t at is (still) appro i atel 

iV(”/ ^ e ge eral for of t e desired ector 6 is t at its j ^ e tr is t e 

prod ct of n k o q a titities for t = . . .n, ere is eit er dig or ki 

depe di g o et er ei is prese t i t e j q a tit hj or ot. 

e o CO sider t e i teresti g pro le of ic relatio s to co sider for n 

eq atio s. ser e t at a ge eral relatio of t e for 

Ru,v = W, 

( ere t e i , . . . , J ,■■■ ,jv, I , ■ ■ ■ ,lv are iq e), as a left- a d side co - 

posed of prod cts of {u + 2v) of t e Cj’s it coefficie ts t at are prod cts of 

(m -I- ri) of t e k o q a tities Oi ( ere is agai eit er dig or ki). Iso 

otice t at t e rig t- a d side of Ru,v as si e at ost 

r et od req ires all t e coefficie ts to e ro g 1 t e sa e si e (a prod ct 

of n of t e q a tities Oj). is ea s t at relatio s ic a e coefficie ts less 

t a t is st e Itiplied (o ot sides) so e issi g ki. or e a pie, 

i tete2epoet case e Itiplied t e first eq atio k to ake all t e 
coefficie ts of si e . is as t e effect of i creasi g t e rig t- ad side of 
relatio to a si e o ded iv(“/ ^ (n-v)ar,^ 

i e t is e relatio e o eed to ake it’s rig t- a d side as large 

as t e rig t- a d side oi W W ... Wn, ic ea s Itipl i g ( ot sides) 

jq(n-u)/ 

or e a pie, t ese Itiplicatio factors are t e (diago al) 
e tries of t e diago al atri D i t e e a pie e n = 3. 

a t at t e prod ct of t ese Itiplicatio factors (i.e. t e deter i a t of 
D \ ten = 3ea pie) is ere fin = x + ya„, a d let de oted 

t e lattice of ( odified) relatio s as efore. is ea s t at ( der t e s al 
ass ptio s) t e ector is t e s ortest ector of t e lattice if 

IV”/ < ( /c„) fV” ”■ ^ ' 

for so e s all Cn, i.e. e 






X 

n2^ — y 



(4) 



I order to a i ise a„ e is ot a: a d j/ to e large. is ea s t at 
t e relatio s s o Id e c ose to a i ise u (a d i i ise u). or i sta ce 
e n = 2 e c oose t e relatio s W ,G ^ & d W W raterta W ,W 
& dW W eca se /? = 2 i t e latter case rat er t a 5/2 -I- a i t e for er. 

it t is ge eral pri ciple i i d e still eed to e plai e actl ic 
relatio s e se. I order to a tai t e tria g larit of e o 1 co sider 
relatio s ic i trod ce o e e q a tit . e c oices for n 5 ca e 
see i t e elo fig re. 
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hj 


relatio 


si e of 
coeffs 


si e of 

hj 


si e of 
r s 


CO tri tio 
to (in 
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(n/2) 


e 


IE 






( /2) + a„ 


(n- )/2 


e 


G , 


2 




Ckn 


(n/2) + a„ 


e e 


W W 


2 


2 


+ 2q;„ 


in -2) (2 


e 


G . 


2 




Ckn 


(n/2) + a„ 


e e 


W G . 


3 


2 


( /2) + 20n 


(n- )/2 + a„ 


e e 


W G . 


3 


2 


( /2) + 2q;„ 


(n- )/2 + a„ 


e e e 


tE IE IE 


3 


3 


(3/2) + 3o;n 


(n- 3)/2 


e 


G . 


2 






(n/2) + Qf„ 


e e 


W G . 


3 


2 


( /2) + 20n 


(n- )/2 + a„ 


e e 


G , G . 


4 


2 


‘2oin 


(n/2) + 2a„ 


e e 


G , G ^ 


4 


2 




(n/2) + 2a„ 


e e e 


IE IE G . 


4 


3 


+ 3q;„ 


(n - 2)/2 + a„ 


e e e 


WWG^ 


4 


3 


+ 3q;„ 


(n - 2)j2 + a„ 


e e e 


WW G . 


4 


3 


+ 3q;„ 


(n - 2)12 + a„ 


e e e e 


wwww 


4 


4 


2 + 4q;„ 


(n-4)/2 


e 


G . 


2 




Ckn 


(n/2) + a„ 


e e 


W G . 


3 


2 


( /2) + 2a„ 


(n- )/2 + a„ 


e e 


G , G . 


4 


2 


‘2oin 


(n/2) + 2a„ 


e e 


G , G . 


4 


2 




(n/2) + 2a„ 


e e 


G , G . 


4 


2 




(n - 2)/2 + a„ 


e e e 


WWG. 


4 


3 


+ 3q;„ 


(n- )/2 + 2a„ 


e e e 


TE G , G , 


5 


3 


( /2) + 30n 


(n- )j2 + 2an 


e e e 


IE G , G , 


5 


3 


( /2) + SOn 


(n- )/2 + 2an 


e e e 


IE G , G , 


5 


3 


( /2) + SOn 


(n- )/2 + 2an 


e e e 


TE G , G , 


5 


3 


( /2) + 30n 


(n- )/2 + 2an 


e e e 


TE G , G , 


5 


3 


( /2) + 30n 


(n- V2 + 2a„ 


e e e e 


IE IE IE G , 


5 


4 


(3/2) + 4a„ 


(n - 3)/2 + On 


e e e e 


WWWG^ 


5 


4 


(3/2)+4a„ 


(n - 3V2 + 


e e e e 


WWWG^ 
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(3/2) + 4a„ 


(n - 3)/2 + an 


e e e e 


WWWG^ 
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4 


(3/2)+4a„ 


(n - 3)/2 + a„ 


e e e e e 


IE IE IE IE IE 
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5 


(5/2) + 5a„ 


(n- 5)/2 



ta le s o i g t e c ose relatio s for n 5. 

fter t e i itial “ ase relatio ” ( ic req ires t at t e first co po e t of 
& s o Id e s all), e seek a li ear relatio et ee e a d (or a Itiple of 

t is e.g. N), a d o r o 1 c oice for t is is PE . it t e i trod ctio of t e 
etepoete e o look for a relatio et ee , e a d e . or t is e 
ca eit er c oose W or G ^ , a d as e plai ed a o e G , is t e rig t c oice. 
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ore i teresti g sit atio arises e t e fo rt e po e t e as ee 
i trod ced, a d o e looks for a relatio regardi gee a d t e pre io so es. 

e est c oice i t is case t r s o t to e kP G ^ . Ho e er, e co sideri g 
t e e t relatio regardi gee a d t e pre io s o es e a o se G , G , 

eca se t e left- a d side of t is relatio co tai s e e , e e , e e a d e e all 
of ic are o prese t. 

I ge eral e looki g for a relatio regardi g e^ e* . . . e^^ a d t e pre io s 
o es, o e ca se a relatio Ru,v ere u + v = s, s ject to t e req ired hj 
ei g prese t earlier. It ca e s o t at t e er of relatio s „ it 
= t s o Id e(" — (j" regardless of t e si es = w-|-'coft e relatio (tog 
of CO rse t is is s ject to t s a d s -I- 2t n). e co tri tio to /3„ for 

sea relatio is {n — s + t)/2 + tan, adt s(s igoerte possi le n) 

t e total CO tri tio to /3„ is s o elo . 



Pn = 



n 



{s,n— s) 



n 

t 




n — s + t 
2 



+ tan 



ss i g n is e e t is s ca e si plified to 



(2n+ )2»-(2n+ 



(n+ )2"-(2n+ )(" 

r, 



or if n is odd t e t e s eco es 



^ (2n+ )2"-4n((„"_-)/ (n + )2"-4n((„”-)/ 

^ + 2 
Usi g eq atio 4 t is ea s t at if n is e e , t e 

{2n+ )2^ — (2n+ )(^" 

(2n-2)2" + (4n + 2)(„” ’ 



ilst if n is odd, t e 



(2n+ )2»-4n((„"_-)/ 
(2n-2)2"+ 



it er a , si g tirli g’s for la n! 

2k _ 
k ~ 

asfc ,adte e aetata„ 



27rnn"e ” e get t at 

-=2 ^ 2 ^ 
nk 



(6) 
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I tr cti 

. ct curit f i tur c s 

old asser, icali a d ivest’s ([ ]) classical otio of securit for a 

digital sig ature sche e is as ptotic i ature. I esse ce, a proof of securit 

a ou ts to a reductio fro forgi g a sig ature to solvi g a co putatio all 

hard pro le : if a pol o ial-ti e forger e ists, the e ca use it to solve the 

hard pro le i pol o ial ti e. 

It has ee ofte poi ted out that this as ptotic approach, hich uses oti- 
o s such as “pol o ial ti e” a d “sufficie tl large,” is too coarse for practical 

securit reco e datio s. K o i g that o pol o ial-ti e adversar has a 

etter tha e po e tiall s all cha ce of forger for a sufficie tl large securit 
para eter does ot provide o e ith a a s er to the practical pro le of fi - 
di g the appropriate securit para eters to e sure securit agai st adversaries 
ith certai co Crete capa ilities. 

ellare a d oga a ([ 96]) argue that, i order to e a le to deduce 

CO Crete securit reco e datio s, it is i porta t to e precise i the reductio 

fro a forger to the algorith that solves the hard pro le . or e a pie, if o e 
k o s that factori g i tegers of le gth is o ore tha ti es harder tha 
reaki g a certai sig ature sche e ith securit para eter , the o e could 
pick so that eve % of the ork required to factor i tegers of le gth is 
CO sidered i feasi le. 

* f e fheae aaabef http://theory.lcs.mit.edu/~reyzin/ 

The ec d a h a ed a de a a a Sc e ce da 

ad a e e h 

au gar ( d.): ’ , 7 , pp. 7- , 

© pr ger- er ag er e de erg 
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reductio i hich the difficult of forgi gad the difficult of solvi g 
the u derl i g hard pro le are close is called t ht] other ise, it is called s . 
( aturall , “close,” “tight” a d “loose” are i precise ter sad ake ore se se 
he used i the co parative.) sche e hose e act securit is tightl related 
to the difficult of factor! g is also proposed i [ 96] . 

. s curit fit- ir- ik i tur c s 

fruitful ethod for co struct! g sig ature sche es as i troduced iat a d 
ha ir ([ 6]). Ithough clai ed for a specific I sche e, the ethod orks 

ith a ge eral c mm t cha r s I sche e. he ethod co sists of 
replaci g the verifier’s ra do challe ge a pu lid k o “ra do ” fu ctio 
CO puted o the prover’s co it e t a d the essage ei g sig ed. his 
re oves i teractio a d adds the essage i to the picture, thus cha gi g a I 
sche e i to a sig ature sche e. 

a of such sig ature sche es have ee prove secure he the “ra do ” 

fu ctio is odeled as a ra do oracle ([ 93] provide a for al treat e t 

of this odel). Ho ever, the reductio s i these proofs are quite loose, thus 
ecessitati g larger ke si es. U less a tighter reductio has ee overlooked, 
the o 1 a to i prove the securit of such sig ature sche es is to odif 
the to alio for tighter reductio s. 

.3 tri uti s f t is p r 

his paper akes t o co tri utio s. 

irst, e sho ho to odif the factor! g- ased iat- ha ir-like sche es 
to akes their securit ver tightl related to the pro le of i teger factor! a- 
tio . ur odificatio is quite ge eral a d ca e applied, i particular, to the 
sche es fro [ 6], [ ], [ ], [ ]> [ 9 ]> [ ka92], [ ic94], [ ho96] 

a d [ ch96]. 

o e e plif our ethod a d ake the descriptio co Crete, e picked o e of 
the si pier a d ore efficie t sche es fro the a ove list, the o e of [ ic94]. s 
it is o 1 a am of a sche e that our ethod applies to, e shall he ceforth 
call it the “ ” sche e. e first prese t a e act a al sis of the loose securit 

of , the propose the odificatio (called the “s ap ethod”) a d prese t a 

e act a al sis of the tight securit of the odified sche e (called “ -s ap”). 

ote that oth ad -s ap are quite practical, ith the perfor a ce that 
is CO para le to that of the sche es curre tl used i practice. 

eco d, after proposi g a ethod for creati g sig ature sche es ith tight 
reductio s, e de o strate that tight ess of a reductio alo e is i sufhcie t if 
o e ishes to a i i e securit hile i i i i g costs other tha ke le gth 
(e.g., sig i g ti e). hile it is i deed true that a tighter reductio alio s for 
a lo er securit para eter, a “loose” sche e ca e so efficie t that, though 
requiri g a larger securit para eter for a, s c fi f s c r t , a deliver 

etter perfor a ce (e.g., i sig i g ti e) tha a “tight” sche e for the sa e 
level of securit . 
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pecificall , e de o strate that although -s ap has etter e act securit 
tha the sche e, hich of the t o sche es to pick depe ds o hat the ai 

factor i the cost is. If the efficie c of verif i g is of ai co cer , the -s ap 
should e chose . If, ho ever, the efficie c of sig i g is the ai co cer , the 
the sche e ca deliver ore securit for less cost. I fact, i that case the 
sche e ca deliver ore securit for less cost tha eve the sche es of [ 96]. 

e highlight that our poi t is ot sacrifici g securit for efficie c . uite 
CO trar , e leverage efficie c i order to achieve etter securit . e su it 

that easuri g the cost of a sig ature sche e accuratel is just as i porta t as 

easuri g securit accuratel , a d de o strate that sche es ith orse e act 
securit a actuall achieve etter securit for the sa e cost. e hope that 
this a further the applica ilit of e act securit a al sis. 



.4 p 

e egi i troduci g for al defi itio sad deali g ith other preli i aries 
i ectio 2. e i troduce the sig ature sche e a d a al e its securit 
i ectio 3. ur e ethod for co structi g sig ature sche es is give i 

ectio 4. e the sho i ectio 5 ho to appl e act securit a al sis to 
choosi g a digital sig ature sche e so as to opti i e a give cost for a give 
level of securit . 



iti s 

I the i terests of space, e o it the e pla atio s of co o 1 used otatio 
a d the ofte -used defi itio of a sig ature sche e as a triple 
of algorith s that are give access to a co o oracle (see, e.g., [ 93] a d 

[ 96]). he are availa le i the full paper. 

e ill, ho ever, provide a ore detailed discussio of hat it ea s for a 

sig ature sche e to e secure, ur defi itio of securit is a odified versio of 

that i [ 96] , hich is ased o [ 93] a d [ ] . his defi itio co cer s 

itself ith e act, rather tha as ptotic, securit . 

I tuitivel , e a t to capture the folio i g i our defi itio of securit : 
there is o algorith (called “forger”) that, for a ra do oracle , is a le 

to produce e valid sig atures ith reaso a le pro a ilit i reaso a le ti e 

ithout k o i g the secret ke sk. oreover, e should assu e that a attacker 
ca coerce the sig er i to sig i g so e u er of essages of the attacker’s 

choice — to carr out the so-called “adaptive chose - essage attack” [ ]. 

e odel this givi g the forger oracle access to the oracle a d to the 
algorith ^{sk •). 

iti . forger ’ s a r a st c t rac a r thm that s 
a s c r t aram t r k a a c pk as t. h first rac f s 
ca a hashi g oracle a th s c rac s ca a sig ature oracle. t 
a hash rac a t {pk sk) = ^ { ^) f r s m k. sa that th 




S ca a d Re 



/ r r succeeds /( ) h, S ign‘d {sk,) k ^ s a a s at r 

a t q r ts s at r rac 

sa that a f r r {t sig hash ) r a s th s at r sch m f f r a 
s c r t aram t r k th f h s 

— ts r t m ( s th s f ts scr t ) s t c t{k) 

— th m r f ts q r s t th s at r rac s t c sig{k) 

— th mrftsqrstth hash rac s t c hash{k) 

— th r a t at ast (k) ^ fat s s ch a {pk sk) that 

th r a t f th f r r’s s cc ss t { ^ pk) s at ast (k) (h r 

th r a t f th f r r’s s cc ss s ta r a ra m ch c f th 

rac th ra m ta f th f r r th ra m ta f th s r t 

h m th f r r a r ss s th ch s m ssa q r s t t th ch c f 

pk) 

a sa that as at r sch m s {t sig hash ) s c r f 

f r r {t sig hash ) r a s t. 

( s a aside for the reader fa iliar ith the defi itio of [ 96], e poi t 

out that if a sche e is {t sig hash )-secure i the se se of the [ 96], the 

it is {t sig hash )-secure i the se se of the a ove defi itio . e si pi 

separate the co po e t of the pro a ilit that is due to the selectio of the 
pu lie ke .) 

o that e have defi ed hat it ea s for a sig ature sche e to e secure, 
ho do e actuall prove a thi g a out securit ? e ill relate the securit of 

a sig ature sche e to the difficult of so e pro le ; i our case, the difficult of 

factor! g. et ( *) e a algorith ge erati g - it products of t o pri es. 

iti . sa that a a r thru {t ) fact rs t rs ra 

t f f r a aram t r 

— ’s r t m ( s th s f ts scr t ) s t c t{) 

— th r a t at ast ( ) ( *) rat s s ch a t r that has 

at ast {) r a t (ta r th ra m ch c s f th a r thm 

t th ch c f ) f f c th c rr ct fact rs f t 

sa that fact r t rs rat s (t ) s c r f 

s ch sts. 

ive this defi itio of the difficult of a pro le , e ca the e plai the 

securit of a sig ature sche e i the folio i g ter s, as suggested [ 96]: 

if so e pro le is {t )-secure, the sche e is {t sig hash )-secure. 
If t is ot uch s aller tha tad are ot uch larger tha , , eve 

for a reaso a 1 large sig a d hash, the the reductio provi g the securit is 
called t ht. 
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3 c 

3. i tur ri c ti rit s 

e descri e the folio i g I a d sig ature sche e fro [ ic94] , ith si ilarities 
to the g- ch orr ([ 9 ]) a d the uillou- uisquater ([ ]) sche es. 

Number Theory, et fc a d et osecurit para eters. etp 3 ( od ) 

a, d p 7 (od) eto pri es of appro i atel equal si e a d = p p 
e a - it i teger (such is called a ams i teger [ il ]). o si plif 

further co putatio s, e ill assu e ot o 1 that , ut also that 

„ = — p — p + , a d that p + p — 2*/ . et de ote the 

set of o - ero quadratic residues odulo . ote that 2*“ . ote also 

that for , e actl o e of its four square roots is also i (this folio s fro 

the fact that — is a o -square odulo p a d p ad the hi ese re ai der 
theore ). hus, squari g is a per utatio over . ro o o , he e speak 

_ f. 

of “the square root of e ea the si gle square root i ; e ill 

k 

de ote the si gle such that = . Iso ote that 2 is a o -square 

odulo p a d a square odulo p ( ecause - = (— so ad 

— 2—2 • I ge eral, for a e actl o e of — 2 —2 is i 

olio i g [ ], defi e ( ) = od , ( ) = 4 od , a d, 

for a m- it i ar stri g a = ■ ■ ■ m, defi e ^ as cr( ) = 

fcm(- ■ • ( b { b { )))•••)= od ( ote that 4'^ is a slight a use of ot- 

atio , ecause cr is a i ar stri g, rather tha a i teger; hat is reall ea t 

here is 4 raised to the po er of the i teger represe ted i i ar cr). ecause 

squari g is a per utatio over a d 4 , ^ is a per utatio over 

ote that ct( ) ca e efficie tl co puted a od ho k o s . Iso, 

ifoekosp adp,oeca efficie tl co pute = T ( ) (as sho 

oldreich i [ ol 6]) co puti g s = 4 od ad the letti g 

= s'^ od (these calculatio s ca e do e odulo p a d p separatel , 

a d the results CO i ed usi g the hi ese re ai der theore ).Ho ever, if o e 
does ot k o p a d p , the ~ is hard to co pute, as sho i the e a 

elo . 

.If ca c m t f r a at ff f t str s a 

a T f q a th = ~ () a = ~ { ) th ca fact r . 

r f. he proof is i ductio o the le gth of the stri gs cr a dr. 

If cr = T = , the assu e, ithout loss of ge eralit , that a = ad 

T = . he ( ) ( ) od , i.e., 4 od , i.e., ( — 

2 ) ( +2 ) . ote that a d 2 , so 2 , so 2 

( od ), so does ot divide either —2 or +2 . hus, co puti g 

the gcd of +2 a d , e ca get either p or p . 

or the i ductive case, let cr a d r eto stri gs of le gth m+ . et ct a d 
r e their to- it prefi es, respective! . If c, ( ) r ( ) ( od ), e are 

do e the i ductive h pothesis. ther ise, the last it of cr ust e differe t 
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fro the last it of t, so, ithout loss of ge eralit , assu e the last it of a is 
a d the last it of t is . he ( ^ ( ) ( ,- ( ) ( od ), a d the 

sa e proof as for the ase case orks here. 

The id Scheme, he a ove le a aturall suggests the folio i g I sche e. 

user has as the pu lie ke a d p p as the secret ke . o prove his ide tit 
(i.e., that hekosp adp)toa verifier, he co its to ra do X 
a d se ds it to the verifier, he verifier produces a ra do fc- it challe ge a 

a d se ds it to the prover (the user), he prover respo ds ith = “ (X) 

( ote that a here is prefi ed ith a si gle it, hose use ill e e plai ed 
shortl ). he verifier checks that X = cr( ) = a{ )a d that ( od ). 

I for all , the securit of this protocol is ased o the fact that if the prover is 

a le to respo d to t o differe t challe ges ct a d r, the , e a , he k o s 

p a d p . he it i fro t of cr is to save the verifier fro havi g to check 
that the prover’s respo se is i ( hich is a hard pro le i itself) — i stead, 
she just squares the prover’s respo se a d thus puts it i 

e ill sa o ore a out the securit of this I sche e ecause e are 
ot CO cer ed ith it i this paper. e ill, ho ever, poi t out a efficie c 
i prove e t for the prover. irst, as part of ke ge eratio , the prover co - 

— fc — 

putes, usi g the hi ese re ai der theore , s = 4 od . he , he 

CO itti g to a ra do X , the prover ra do 1 selects a n a d 

k 

sets X = od ( ote that X gets selected ith u ifor distri utio as 

lo g as is so selected), o , to respo d to a challe ge a, the prover si pi 
CO putes = s‘^ od . 

The E Scheme. he sta dard a to cha ge the a ove I sche e i to a 
sig ature sche e is to replace the verifier ith a ra do fu ctio : } 

}*. he e act steps of the algorith s , ad folio . 

Ke e eratio 

e erate t o ra do pri es p 3 ( od ) a d p 7 ( od ) a d 

= pp so that 2\ — p — p + 2‘ + a dp +p — 2*/ 

2. e erate coefficie t = p ~ od p for use i the hi ese re ai der 

theore ^ 

3. o pute Ui = — od for = 2 ( ote that Ui is such that 

raisi g a square to the po er m odulo pi ill co pute its 2^ root) 

4. o pute Si = [— — * odpi for = 2 

5. o pute V = {s — s ) odp ads = s + vp to get 

s = 4 ^ od 

6. utput as the pu lie ke a d ( s) as the secret ke 

ig i g ^ 

e erate X picki g a ra do „ a d co puti g X = od 

( ote that this step ca e do e off-li e, efore the essage is k o ) 

2. o pute a = {X ), a d = “ (X) via t = od (this ca e 

do e via ti = sf od pi for = 2, v = {t — t ) odp ,t = t +vp ) 

ad = t od 

3. utput ( a) 




I 



g he E ac Sec 



f a -Sha S g a e Sche e 



erif i g 

fc 

erif that ( od ) a d co pute X = cr ( ) via t = od 

,1=2"^ od , X = t t od 
2. erif if cr = {X ) 



3. curit ft sc 

e state the folio i g t o theore s that give t o differe t vie s of the e act 
securit of the sche e a d de o strate the tradeoff et ee ru i g ti e 
a d success pro a ilit . heir proofs use k o ethods (see oi tcheval a d 
ter [ 96] a d hta ad ka oto [ 9 ]). ur pro a ilit a al sis is e , 

ho ever, a d results i slightl tighter reductio s. 

r . If th r sts a f r r that {t gig hash ) r a s th sch m 



th s c r t 


aram t rs a k th 


th r 


sts a a r thm that ft ) 


fact rs t 


rs rat f r 








t = 2t + 2( sig + 


)T +T 






-2~ 


( -27) 




hash H” 


h r T s 


th t m r q r t rf rm a 


s at r r ficat T s th 


t m r q r 


t fact r th c 


t 


s f mma ( ss t a a c 


c m tat 


) a ^ — sig{ hash )2 


' ( 


t that j s c s t f r a ar 


h ). 








r f et 


e a forger that (t sig hash 


)- reaks sig ature sche e. e 


ill CO struct a factor! g algorith 


that 


uses to produce n ^ ^ 


a = T 


such that a{ ) = 




his ill alio to factor 


usi g the 


ethod give i the proof of 


e 


a . 



he ai idea of this proof is give the “forki g le a” of [ 96]. It is 

to alio to ru o ce to produce o e forger — a sig ature ( cr) o a essage 
such that cr = [X ) here X = ). ote that had to ask a 

hashi g-oracle quer o {X ) — other ise its pro a ilit of success is at ost 

2“^. he , ru the seco d ti e, givi g the sa e a s ers to all the oracle 

queries efore the quer {X ). or (X ) give a e a s er t. he , if 

agai forges a sig ature ( r) usi g X a d , e ill have achieved our goal. 

ssu i g is such that has pro a ilit at least of success, the pro a ilit 
that ill factor usi g this approach is roughl hash, ecause eeds to 
succeed t ice a d e have o guara tee that ill choose to use {X ) for its 
seco d forger a d ot a of its other hash oracle queries. 

he CO plete details of the proof are availa le i the full versio of this paper 
a d are o itted here i the i terests of space. 

r . If th r sts a f r r that {t sig hash ) r a s th sch m 
th s c rt aram t rs a k s ch that 2~^ ( hash+ ) ( - sig( hash + 
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)2 ’’ ) th th r sts a a r thm that {t ) fact rs t rs rat 

f r 

, _ (2 hash+^){t+ sigT ) 

( _ ^) _ 2-fe ( + 



h r T T a j ar as h r m . 

r f. he idea is to iterate the fro heore sufficie tl a ti es to 
get a CO sta t pro a ilit of success, ore specificall , ru a out ti es 

the first ti e, to achieve a co sta t pro a ilit of a successful forger , a d a out 

2 hash ti es the seco d ti e, to achieve a co sta t pro a ilit of a successful 
forger that uses the pair {X ). 

he CO plete details of the proof are availa le i the full versio of this paper 
a d are o itted here i the i terests of space. 

he folio i g t o state e ts folio directl fro the theore s just proved 

o ce e fi the para eters to e high e ough to avoid deali g ith s all ter s. 

r r .If fact r t t rs rat s ft ) s c r 

th th s at r sch m s (t sig hash ) s c r f r 

sig 2 ( hash ) 

t = t 2 — { sig + )T — T 2 

= 2 hash + )+ 2 ( hash + ) 

r /. ote that the value for t folio s directl solvi g for t the equatio for 
t i the state e t of heore . he value for is co puted as folio s: solve 
for the quadratic equatio that e presses i ter s of to get 

= 2 *( i^ash + ) + 2 “ *( i^ash + ) + 4 ( hash + ) ( ~ 27 ) 2 

2 *( hash + ) + 2 “ *( hash + ) + 4 ( hash + ) ( ~ 27 ) 2 

= 2 hash+ )+ ( hash + ) ( ~ 27 ). 

serve that e are alio ed to i crease , as this ill o 1 eake the result, 
ote that the co ditio o sig e sures that — 27 2, so setti g to 

2“'"( hash + ) + 2 ( hash + ) ill Ot decrease it. 



r r . If fact r t t rs rat s ft .99 ) s c r 

th th s at r sch m s ft sig hash ) s c r f r 



{t - T) 

4 hash + 6 





I 



g he E ac Sec 



f a -Sha S g a e Sche e 



5 



as as 



sig 



2 '- 

2~k 



( hash ) 

( hash ) • 



r /. he proof is si ilar to that of of orollar , a d is give i the full 
paper. 



4 P t 

4. ti ti 

see plified the proof of heore s a d 2 a ove, all k o results for 
the securit of iat- ha ir-like sig ature sche es i volve losi g a factor of hash 
(i either ti e or success pro a ilit ) i the reductio fro a forger to a al- 
gorith that reaks the u derl i g hard pro le (see, for e a pie, [ 6], 

[ ch96], [ 96], [ ho96], [ 9 ]). hile o proof e ists that the loss of this fac- 
tor is ecessar , the pro le see s i here t i the a sig ature sche es are 

CO structed fro I sche es, as e plai ed elo . 

he securit of a I sche e usuall relies o the fact that a prover ould 
e u a le to a s er t o differe t challe ges for the sa e co it e t ithout 
k o i g the private ke . herefore, i the proof of securit of the correspo di g 
sig ature sche e, e eed to use the forger to get t o sig atures o the sa e 
CO it e t, as e did i the proof of heore s a d 2. he forger, ho ever, 

has a of its hash queries to pick for the co it e t for the seco d sig ature — 
he ce, our loss of the factor of hash- e a t to poi t out that hash is a 
sig ifica t factor, a d its loss defi itel akes a reductio quite loose, his is 
ecause a reaso a le ou d o the u er of possi le hash queries of co itted 
adversaries is a out hash = 2 (see ectio 4.4). 

e therefore devise a e ethod of co structi g sig ature sche es fro 
I sche es so that a o e sig ature fro the forger is e ough to reak the 
u derl i g hard pro le . 



4. t 

ecall that i iat- ha ir-like sig ature sche es, the sig er co es up ith the 
CO it e t a d the uses applied to the co it e t a d the essage to 

produce the challe ge. e propose that i stead the sig er first cm th th 

cha a th s a t th cha a th m ssa t r c 

th c mm tm t. 1 a, a , e s ap the challe ge a d the co it e t. 

his ethod applies he ever the sig er ca co pute the respo se give 
o 1 the challe ge a d the co it e t. It does ot appl he i for atio used 
duri g the ge eratio of the co it e t is ecessar to co pute the respo se. 

or e a pie, it does ot appl to discrete-logarith - ased I sche es (such 
as the ch orr sche e [ ch 9]) i hich the prover eeds to k o the discrete 
logarith of the co it e t i order to provide the respo se. 
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dditio all , i order to use this ethod, o e eeds to get arou d the pro- 
le that the co it e t is selected fro so e structured set (such as i the 

case of ), hile retur s a ra do i ar stri g. his pro le ca usuall e 
easil solved, he o 1 case k o to us he it see s to prese t a real o stacle 
is i the sche e of hta ad ka oto ([ ]) i the case he a e po e t 

L is used such that gcd(L {p — ){p — )) 2. 

he ke -ge eratio algorith a d the private ke a eed to e odified 
slightl i order to provide the sig er ith the additio al i for atio eeded to 
CO pute the respo se fro a ra do co it e t, rather tha fro a co it- 
e t that it ge erated. he verificatio algorith re ai s vastl u cha ged. 

I the e t sectio , e e e plif our proposed ethod a d e plai h it 
results a tighter securit reductio . 

4.3 -s p 

script! . he sche e depe ds o to securit para eters: fc a d . et 
: } y~ e a ra do fu ctio . 

Ke e eratio he ke ge eratio is the sa e as i the sche e, e cept for 

o e additio al step (step 6) a d e tra i for atio i the private ke : 

e erate t o ra do pri es p 3 ( od ) a d p 7 ( od ) a d 

= pp so that 2*, — p — p -I- 2'-+ a dp +p — 2*/ 

2. e erate coefficie t = p ~ od p for use i the hi ese re ai der 

theore ^ 

3. o pute Ui = — od for = 2 ( ote that Ui is such that 

raisi g a square to the po er m odulo pi ill co pute its 2^ root) 

4. o pute Si = [— — * odpi for = 2 

5. o pute V = {s — s ) odp ads = s + vp to get 

s = 4 ^ od 

6. If Mi is odd, ake it eve setti g Mi = Ui -I- for = 2 ( ote 

that o Ui is such that raisi g a square or its egative to the po er Mi 

odulo Pi ill CO pute its 2^ root) 

7. utput as the pu lie ke a d ( s u u p p ) as the secret ke 
ig i g 

e erate a ra do ct a d co pute t = od ( ote that this step 
ca e do e off-li e, efore the essage is k o ). 

2. o pute X = (ct ). e ill assu e X „ (i.e., {X ) = ), 

ecause the pro a ilit of X „ is at ost 2“*/ . If the aco i 

® = — , set X = 2X od . o either X or — X is 

i . o pute = a~ { X) via i = od pi for = 2, 

V = { — ) odp, = + vp a d = t od. 

3. utput ( ct). 
erif i g 

k 

erif that ( od ) a d co pute X = ) via t = od 

, t = 2'^ od , X = t t od (this step is the sa e as for the 

sche e). 

2. et X = (ct ). If X X ( od ) or X 2X ( od ), 

accept the sig ature (this step differs slightl fro the sche e). 
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curit f -s p. 

r 3. If th r sts a f r r that {t sig hash ) r a s th s a 
sch m th s c r t aram t rs a k th th r sts a a r thm that 

{t ) fact rs t rs rat f r 

t = t + 2( sig + hash + )T + T 

= ( ~ 7) ~ ( hash + sig + )2 

h r T s th t m r q r t rf rm a s a s at r r ficat T s 
th t m r q r t fact r th c t s f mma ( ss t a a c 

c m tat ) a 7 = sig{ hash + )2“^ ( t that 'y s c s t f r a ar 

h k). 

r /. a iliarit ith the proof of heore ill e helpful for u dersta di g 
this proof. 

et e a forger that (t sig hash )~ reaks -s ap sig ature sche e. 
i ilarl to the proof of heore , e ill co struct a algorith that, after 

i teracti g ith , ill produce „ad(j = r such that 

A )= A )■ 

he ai idea is to a s er each hash quer o (ct ) ith a X co puted 

via X = T-( ) for a ra do „ a d ar itrar r that is differe t fro cr. 

he if forges a sig ature { a) o , e ill have ^ ( ) = r ( ) a d ill 
e a le to factor . 

he CO plete details of the proof are availa le i the full versio of this paper 
a d are o itted here i the i terests of space. 



r 4. If th r sts a f r r that {t sig hash ) r a s th 
sch m th s c r t aram t rs a k s ch that 

( hash “t” sig “t“ )2 ^ ^ sig{ hash “t” )2 

th th r sts a a r thm that ft ) fact rs t rs rat 

f r 

^ _ t + 2{ sig + hash + )T ^ ^ 

( ~ 7) ~ ( hash + sig + )2“^/ 



h r T a T ar as h r m 3. 
r f et 

= ( ~ 7) ~ ( hash + sig + )2 

assu ptio , . o if e repeat the algorith co structed i the proof of 

heore 3 up to ti es (e cept for the fi al gcd co putatio , hich eed 
o 1 edo eo ce), e ill get the desired , si ilarl to the proof of heore 2. 
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i ilarl to the sche e, e have the folio i g t o corollaries. 



If fact r 


t 


t rs 


rat s {t 


) s c r 


at r sch m 


S 


sig 


hash ) s c r hr 




s^g i (2"^- 


( 


hash H” 


) 2*/ “ — hash — ) 




^ ^ 2( gig 


+ 


hash “1” 


)T -T 





= 2 . 



r /. he CO ditio o sig e sures that ( -j)-{ hash+ sig+ )2 ' ) 2. 

he rest folio s, si ilarl to the proof of orollar , fro solvi g the equatio s 
of heore 3 for tad . 
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r 4. If fact 
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t rs 


rat 


S {t 


.632 


th th 


s a s 
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r sch 
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^ sig 


hash 


) s c r f 


r 




sig 


i 


{2^- 


( 


hash ) 


2 '/ ■ 


hash 


) 




t = 


(1 


-T) 

2 


- - 


2 ( sig + 


hash 4“ 


)T. 




r f 


he CO ditio 


0 


sig ^ 


sures that ( 


- 7 )- 


( hash~^ sig~^ 


) 2 -' 



he rest folio s, si ilarl to the proof of orollar 2, fro solvi g the equatio s 
of heore 4 for tad . 



4.4 r t r ic 

he for ulas i the orollaries -4 are quite differe t. o etheless, it is i - 
ediatel clear that s a s s fact r f hash either i ti e or i 
pro a ilit . his is a ig adva tage for -s ap ecause hash ca e quite ig. 

fuller CO pariso , provided i the e t sectio , depe ds o the actual 
values of the para eters sig, hash, fc a d . et us deal here, ho ever, ith the 
preli i ar pro le of assig i g reaso a le values to these para eters. 

e elieve it reaso a le to set sig = 2 ad hash = 2 — . his is so 

ecause sig ature queries have to e a s ered the ho est sig er ( ho a ot 
e illi g or a le to sig ore tha a illio essages), hile hash queries ca 

e CO puted the adversar alo e ( ho a e illi g to i vest e traordi ar 

resources), otice that e reco e d a higher value for hash tha suggested 
i [ 96]. 

e reco e d setti g k = for the sche e a d fc = 2 for -s ap. 

or the sche e, this is so ecause, fro orollaries a d 2, e see that 

2“^( hash + ) has to e s all (the value of 2“^( hash + ) is esse tiall the 

success pro a ilit of the si pie attack that relies o correctl guessi g o e 
hash value a o g hash + hash queries), herefore, e eed 2“* to e 

s all, a d setti g fc = e ake it less tha “ . or -s ap, this is so 
ecause 2^~ has to e at least sig{ hash + ) = 2 fro orollaries 3 a d 4. 
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s for , otice that oth ad -s ap are i ediatel roke if the ad- 
versar succeeds i factor! g the - it odulus. herefore, ought to e at ast 
ive the a ove choices for the other para eters, such a i i u value 
for is large e ough to ake all the co strai ts i volvi g i orollaries -4 
satisfied (for a reaso a le i the case of orollaries 3 a d 4). hus, the va- 
lue of depe ds o the presu ed securit of factor! g, as discussed i the e t 
sectio . 



s f r ct c rit - st sis 

. sts f curit 

he desired level of securit is usuall dictated the specific applicatio . It is 
after settli g o the desired a ou t of securit that choosi g a o g the various 
secure sche es eco es crucial. I deed, he choosi g a sig ature sche e, the 
goal is t ma ta th s r f s c r t at th st ss c st. I a 

se se, pick! g a sig ature sche e is si ilar to shoppi g for a i sura ce polic 
for the desired face value. 

he costs of a sig ature sche e, ho ever, are quite varied, he a i elude 
the si es of ke s a d sig atures, the efheie cies of ge erati g ke s, sig i g a d 
verif i g, the a ou ts of code required, a d eve “e ter al” co sideratio s — 
such as the availa ilit of i e pe sive i pie e tatio s or off-the-shelf hard are 
CO po e ts. I this paper, e focus o the efficie cies of sig i g a d verif i g. 

hese are particular! i porta t he sig i g or verif i g is perfor ed a 

lo -po er device, such as a s art card, or he sig i g or verif i g eeds to e 

perfor ed i ulk qua tities, as o a secure server. 

It is for these costs, the , that elo e co pare the ad -s ap sche es. 
e also provide a co pariso of the sche e ith the a sche e fro 
[ 96], argua 1 the ost practical a o g those t ht related to factor! g. 

( he reaso for choosi g a rather tha its varia t is that the latter is 
tightl related to , a d thus pote tiall less secure tha factor! g.) 

. p ris f -s p 

he efficie c of sig ature verificatio i is a out the sa e as i -s ap. 
he securit of -s ap is ge erall higher tha the securit of for the sa e 
securit para eters. herefore, if the efficie c of verif i g is the o 1 sig ifica t 

CO po e t i the cost, -s ap ill e a le to provide the sa e a ou t of 

securit for less cost tha 

ore difficult case to a al e is the case he the efficie c of sig i g is of 
ai CO cer . e ill li it our a al sis to the case he e are o 1 co cer ed 
ith the o -li e part of sig i g. I oth cases, this i volves ai 1 a odular 

e po e tiatio . herefore, a variet of sophisticated alge raic ethods ca e 
used here, ut these ethods appl equall to a d -s ap. e thus fi d it 
si pier to co pare the t o u der “sta dard” i pie e tatio s usi g the hi ese 
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re ai der theore ( ). he the total a ou t of ti e required for o -li e 

sig i g i the sche e is a out 3k 4 a d the total required for o -li e sig i g 

i -s ap is a out 3 , ot cou ti g the (relativel s all) cost of co puti g 

the aco i s ol. (I su , o -li e sig i g is (2fc) ti es faster for tha for 
-s ap / s th sam a f f t th. ) 

et us o see ho the securit of the t o sche es co pares assu i g the 

0 -li e sig i g costs are the sa e. et a d /ce e the securit para eters for 

, a d ES a d /ces e the securit para eters for -s ap. he o -li e sig i g 

costs for ad -s ap are the sa e if 

ES = (2fcE e) ^ • ( ) 

he est k o factori g algorith s take ti e a out 

r( ) = e p y ^ / (1 ) / 

for so e CO sta t [93]. herefore, e ill assu e that factori g - it i - 
tegers ge erated is ( T( ) .99 )-secure for so e a d so e co - 

sta t . Usi g the for ulas give orollaries 2 a d 4 a d the values for 

sig hash kE & d kss 3S give ectio 4.4, e ca o fi d out he the 

sche e eco es ore secure that -s ap if e keep the sig i g costs equal. 

he details of further alge raic a ipulatio s are o itted here a d give i 

the full paper, he result is that at e = 6 9, es = 954, ^e = , kES = 2, 

ad -s ap provide a out the securit a d the sa e perfor a ce for o -li e 
sig i g. e o dthispoi t, the gap i securit for the sa e perfor a ce i creases 
e po e tiall i favor of . 

hus, the sig i g algorith of the sche e is so fast that prova le securit 
a d sig i g efficie c are the sa e he uses 6 9- it oduli ad -s ap 

954- it oduli. I oth cases, the securit is that of factori g a 954- it i teger 

ge erated . ( he sche e a actuall e eve ore secure, ut e 

ca ot prove it!) 

It just so happe s that this co puted level of securit is curre tl co sidered 

adequate for a applicatio s. ( herefore, for these applicatio s -s ap is 

prefera le: -s ap has faster verificatio for the sa e level of securit , as ell 

as shorter ke s a d, therefore, shorter sig atures.) 

Ho ever, he ever the applicatio calls for a h h r level of securit , a d the 
do i a t cost is that of sig i g, the the “loosel ’’-secure eco es prefera le 
ecause the securit gap et ee ad -s ap, give the sa e perfor a ce, 

1 creases e po e tiall . 
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.3 p ris ft c it r - ’s 

he securit of a is tightl related to that of odular square roots, rather 
tha factor! g. factor of 2 i pro a ilit is lost (as co pared to -s ap) he 
o e relates the securit of a to that of factor! g. a ’s perfor a ce for 

o -li e sig i g is a out the sa e as -s ap’s ( a requires a fe ore aco i 
s ol CO putatio s, ut o separate odular ultiplicatio ). vastl si ilar 

a al sis leads to the folio i g co clusio : prova le securit a d sig i g efficie c 
are the sa e he uses 59 9- it oduli, ad a 929- it oduli. 

Iso here this is a “cross-over” poi t: the gap i securit for the sa e per- 
for a ce i creases e po e tiall i favor of the sche e. s e ca see, this 

cross-over poi t is just slightl ore i favor of tha the cross-over poi t of 

ad -s ap. his is ecause of the factor of 2 differe ce i the securit of 
-s ap a d a . 

c ts 

e ould like to tha k alii adha for poi ti g out a error i a earlier 
versio of this ork a d ihir ellare for suggest! g a i prove e t i the 

securit a al sis of the sche e usi g a idea fro [ 99]. 
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I tr cti 

rapid d lopm t of t I t r t as mad a r ol tio o r o r dail lif . 

I formatio is ab da tl ad asil acc ssibl to r o o as a co ctio 

to t orld id i formatio sprig a.Itr t applicatio s lik 1 ctro- 
ic comm rc , 1 ctro ic m ssagi g ( .g. -mails) as 11 as t orld id 

b pro id gr at co i c to t mod r soci tad t all tra sform 

comm rc , d catio , pro isio of go r m t s r ic s a d almost r ot r 
asp ct of mod r lif . 

Ho r, t pri ac iss s accompa i g t si o atio sea ot b gl c- 
t d. pot tial i t rc ptio or mis s of p rso al data coll ct d from t 

pro isio of I t r t s r ic s is a t r at to s r pri ac . or o r, t rapid 

d lopm t of data mi i g t c ologi s mak s t is t r at mor s r . 
is r s Its i t calli g of a o mo s I t r t acc ss. 

b li t at a o mit s o Id b pro id d co ditio all . I t lat r 

part of t is pap r, ill propos a cr ptograp ic sol tio t at ca ac i 
CO ditio al a o mo s I t r t co ctio s, ic is d lop d bas do t 
1 ctro ic as rotocol i trod c d i [ ]• I or protocol, s r a o mit is 
mai tai d so lo g as t s r do s ot misb a .1 t is a , s r pri ac is 

prot ct d il a o mit is ot ab s d. 

au gar ( d.): ’ , 7 , pp. - , 

(c) pr g r- r ag r d rg 
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ri c I I t r t cc r ic 

Itr tsrics pro id rs ca 1 ar me abo 1 1 ir c stem rs, as all i forma- 
tio t at ill pass to a Itr t s r m st rst pass t ro g t pro i s r sid 
i t ir s r rs. It o g cr ptio t c iq s s c as ar s d so t at 
t ird parti s ca ot i t rpr t t co t ts b i g tra smitt d, t I ca still 

d t rmi at b sit s or ic articl a partic lar s r as isit d. is 

isbeas ritr t obj ct r q st origi at d from t s rs is logg d i t 
I ’s pro cac . is is r f rr d as t ’clicktrails’ data coll ctio . oil cti g 

a d a al i g t ’clicktrails’ data ca d ri m c i formatio abo tap rso . 

r s t ri c s o ici s 

coll ctio of p rso al data is a oidabl i ma occasio s ( .g. op i g 

a ba k acco t), om isti g pri ac ordi a c s s c as [2] alio s s r ic s 

pro id rs to coll ct s r’s pri at i formatio for t p rpos it d d, b t 
pr ts t m from c a gi g t sag of s c data, or t cas of I t r t 
s r ic s pro isio , at pr s t, a I as rig t to coll ct ’clicktrails’ data a d 
old log Is of sritr t sag for t p rpos s of s st m mai t a c 

a d tro bl s ooti g. I di id al I also as o poke o pri ac , o r t 

sta dard di rg s a d s r pri ac is som tim s ot prop rl prot ct d. 

rst o ous t r t r ic s o utio s 

ral a o mo sitr tsricstc ologi sab d lop d. aim 
at idi g t s r id tit from t r mot sit s. or ampl , t a o mo s 

b s r rs s c as [3] f tc s t r q st d obj cts o b alf of t s rs, so 

t at t r mot ost r c i s t r q st appar tl origi at d from t s r r. 

r ar also t c ologi s s c as t io o ti g [4] pro idi g a o mo s 
CO ctio i ic ro ti g i formatio is idd 

o itio o ous t r t cc ss r ic s 

I ord r to pr t t ab s of t data i log Is, s rs s o Id r mai a o- 

mo stot I drigitr t obj ct r q sts. is ca b ac i d b 
si g cr ptograp ic m t ods. I ctio t r of t is pap r, ill pr s t a 

CO ditio al a o mo s I t r t acc ss protocol t at a t folio i g f at r s: 

— s r is a o mo stot I drigitr t acc ss. 

— I as o a to r lat a r q st d obj ct to its r q st r if it is 
f tc d ia t I ’s pro . 

— a o mit is co ditio al, t s r id tit is r al d a misb - 

a ior is d t ct d. 

— is protocol is tra spar t to ot r applicatio s; a d it is i t rop rabl 
amo g di r t I ’s. 

H r ass m t mplo m t of call r-I block! g so t at t I ca ot 
trac t s r id tit from t p o mb r. 
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3 r t c 

d lop dor protocol moti at d b t - as protocol propos d i [2]. 
I orsstm, t sr logi it a pass 

{x, f{x) ! (mod n)) 

i ic t rst t rm is t ps do m of t s r a d t s co d t rm is t 
I ’s p blic k sig at r [5] . H r is a p blis d composit a d o 1 t I 
k o s its factors, /(.) is a o - a f ctio k o b bot t s r a d t 
I a d is t ps do m c os b t s r. rstl i trod c a simpl r 
rsio of t protocol, i ic a o mo s I t r t co ctio it o t s r 
id tit r CO r is ac i d. I lat r s ctio , ill disc ss o t protocol is 

modi d so t at t s r’s id tit ca b r al d i cas of a misb a ior 

occ rr c . 

ssu s ss to ic si g i ig tur 6] 

c 

o op a acco t, lie g rat s a d , r is a ps do m ic 
s ill s to acc ss t I t r t s r ic s a d is a bli di g factor. s 
mb rs o 1 k o b lie . pr s ts t folio i g tok : 

T = r ■ f{x) (mod n) 

to t I 

po r c i i g a d a i g ri d o lie ’s id tit , t I sig s o 

b calc lati g t t ird root of mod lo adrtrsT/ (mod n), 

i. . r • f{x) ! (mod n), to lie . It is ass m d t at o 1 t s r r as t 

k o 1 dg to comp t t t ird root mod lo [5]. lie t tracts j(x) ! 
(mod n) from t r t r d tok b di idi g T / (mod n) it ad form 
r pass: 



pass = (x,f{x) ! (mod n)). 

is pass is sa d at lie ’s sid . logi s it t is a o mo s pass i st ad 
of r logi am from o o . s r r as o a to r lat lie to r 
ps do m b ca s it ca ot s t al of it sig s o t 

ccou t p r tio s 

acco t for is cr at d, r is t ps do m of lie . lie logi , 

s pr s ts t pass pass i st ad of si g r o s r am a d pass ord. 
t ticatio is do b rif i g t al of f{x) ! (mod n). from pass. 

11 ot r acco t op ratio s ar similar to t isti gsstm. ict srr 
as o k o 1 dg o t id tit of , a o mo sitr tsric pro isio is 
ac i d. 
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4 i r i it K cr r I tit 

I ctio 3 a pr s t d t simpl r rsio of o r protocol. I t is s ctio , 

modif o it so t at t folio i g d sirabl additio al prop rti s ca b 
ac i d: 

— lie is t oil gitimat s r of t pass. 

— lie ’s id tit ill b r al d c ssar . 

modi catio is bas dot do bl sp di g pr tio sol tio pr - 
s t di [2]. lat r prop rt abl s id tit r ocatio i critical sit atio s. 
I t modi d rsio of t protocol, a tr st t ird part ( ) is i ol d. 

d a alid pass as t folio i g format: 

{pseudonym, {pseudonym}isPsign, {pseudonymjrTPsign) ■ 

H r mak t sam ass mptio t at o 1 t I as t k o 1 dg to 

comp t t t ird root mod lo . 



4. tti g ss 

tad b som t o-arg m t collisio -fr f ctio s as d scrib d i [2]. 
d 1 t b a iq id tif i g mb r of lie ( .g. t acco t mb r). 

I st ad of prod ci g a si gl bli di g factor as i t pr io s s ctio , fo r 

i d p d t s ts of ra dom mb rs ac co sists of 1 m ts, , c, a d r 

ar g rat d. 

I ord r to obtai t bli d sig at r from t I , lie forms ads ds 
Ti’s i t folio i g ma r: 

Ti = Ti ■ f{x^, yi) (mod n) 

r 

= to 
Xi = g{ai,Ci) 

a d 

yi — {^i ^ di{ . 

otic t at at t is stag , I k o s lie ’s id tit , . I ord r to rif 
t Tj’s pr s t d b lie , t I d rgo s t folio i g st ps: 

. It c oos s ra doml a s t of /2 i t g rs, i? = {ij}, r < ij < k a, d 

<j< k/2. 

2. It asks lie to s o t al s of r^, a^, Cj a d for r i 

3. It compar s t /2 pr s t d Ti’s ads if it is ca b d ri d from t s 

n, Qi, Ci, Ci a d . 
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ft r t at, t I gi s lie 

n 

i R 

d lie ea asil traet t folio i g eompo t: 

^ (mod n) 

i R 

ie is eorr spo d to t I ’s bli d sig at r o t ps do m, 
p=Y[fi^i^Vi) (modn). 

i R 

otie t at t I as o a to r lat to b ea s it ea ot s Xi a d yt 

for i ^ R. 

lie also ds to g t t sig at r from t . for sig i g o , t 

ri s t alidit of ad rit s part of t i formatio abo t lie ’s 

id tit i to t databas . otie t at lie is a o mo s to t a d t 

i formatio obtai d b t is ot o g for it to eomp t lie ’s id tit . 

o p rform t is task, t sam s t of T^’s ar pr s t d to t 
t p rforms t folio i g proe d r s: 

. It asks lie to gi t al s of Xi, (o* ), a d for r 

2. It ri s if t eorr spo di g Ti’s ea b d ri d from t pr s t d al s. 

3. If t ri eatio s ee ds, t stor s t al s (a^ ) alo g it 

i to t databas . 

t ri s a d sig s o t ps do m : 

. or T i G R r R = {i G Z : i ^ R, < ij < k}, it c eks if t 
al s of Xi, (oi ), a d mate t eorr spo di g T^’s i ol s i 

2. It sig s o t ps do m si g ormal p blie-k sig at r se m s. 

po r e i i g t ’s sig at r , lie ea t form t pass: 

{pseudonym, {pseudonym}ispsign, {pseudonym} ttp sign)- 

I t proe ss of pass ri eatio j st m tio d abo , t er ptograp ie 

m t od, ro-k o 1 dg proof is mplo d. It abl so to pro is/ rid - 
tit to t ot r part it o t r ali g t id tit . or d tails ea b fo d 
i [7], 
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4. ccou t p r tio s 

cco t op ratio s ca b p rform d as s al. Ho r, t r ar som di - 
r c s i pass ri catio . 

ri catio of a pass i cl d s t r proc d r s, am It ri catio s 



of t 




I sig 


at r s 


a d t at of t 


sig at r s, a d also t proc 


SS to 


s 


r 


lie ( 


0 is a 


0 mo s to t 


I ) is i d da alid 


old r of t 


pass. 






rst t 


0 proc 


ss s ca b p 


rform d dir ctl si g t 


p blic-k 


sig- 


at 


r 


ri catio sc 


ms. il t 


last part is do b t 


folio i g: 








I g 


rat 


a ra dom bi 


ar ctor Z = (z , z , .. 


■,Zk/ ) r 


t 




1 


m t Zi 


corr spo d to t 


mb r i t s t i? . 





2. lie r spo ds accordi g to t folio i g r 1 : 

~ = , lie s d t I Ui, Ci, a d yi. 

— = , lie s d t I Xi, a, d yi- 

3. rom t r c i d al s, t I ca c ck if t corr spo di g Tj’s ca 
satisf t pass. 

4. tit oc tio 

I t is protocol, a s r r mai s a o mo s so lo g as /s do s ot misb a . 
I t is a , a limit d a o mit is pro id d so t at s r pri ac ca ot b 
ab s d. is is do b t cr ptograp ic m t od of s cr t splitti g; i ic a 

pi c of s cr t is di id d amo g t o or mor parti sad ac part alo do s 

ot a k o 1 dg abo t t s cr t [ ]. 

misb a ior of t old r of is d t ct d or i cas of a app als, 

t CO rt asks t I to pr s ts t pass alo g it at for i G R ] ic it 

obtai s d ri g pass ri catio proc ss. co rt also gat rs t corr spo di g 
(oi ) for j G S' r S = RUR from t . otic t at SUi? 7 ^ {0} 

adit ba ImtiSUi?. sridtit isr aldas: 

U=Qe (Oe ). 

5 c rit i 

is s ctio a al sot str gt of o r protocol i r sista c of di r t 
pot tial t r ats. 



lie r mai s a o mo s to t I . is is b ca s d ri g t stag of pass 

iss i g, lie pr par s ca didat sofT^’sa dt I o 1 ra dome all g o 
/2oft m. ot r /2 al s ic ar s d to form t pass ar rs 
bt I. rigt at ticatio proc ss, t I o 1 ra dom c all g 
o t /2 s al s. r for t I ca ot r lat t id tit of lie 
to t pass t at s poss ss s. 
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ri g t pass iss i g stag , lie is ot a o mo sadt I so Id mak 
s r lie ’s id tit b for sig i g o t pass. is ea b do b mplo i g 

a digital e rti eat se m ; i ie o ’s id tit is pro d b a r cog i d 

digital e rti eat . I t is a , t id tit of t pass r e i r ea b s r d. 

ic ts 

i e t I i sol alf of t ea didat s of ri,Oi,Ci a d di, r i G R, 
t r for i t pass iss i g proe ss lie ma a e a e toe at. do s t is 

b ot si g a alid i t eale latio oft os /2 T^’s ie ar ot i db 

t I .Ho r r e a e of s ee ssf 1 e ati g d er as po tiall it 
t al of . or ampl , q als 6, t e a e for t I e oosi g 

0 of t lie ’s e at d R’s is /2 = . 39. i er as s to 32 t 

e a e f rt r d er as s to /2 6 = .526 x “ . 

.4 to ss 

ppos lie ’s pass is stol b arol d ri g t pass iss i g stag , t is ill 

ot bri g a lost to lie b ea s arol do s ot k o t s er ts t at lie is 

oldi g. at is, arol do s ot k o aj , Cj a d j/i for r i G R ie i ol 
i t ra dom e all g proe ss d ri g f t r logi s. r for ea ot s t 
pass. 

ppos arol st als t pass at lat r stag s so t at s also st als t 
mb rs a d j/i for som i G R . 1 t is eas , o r, s ea ot s 
t pass til s obtai s Oj, Cj a d j/i for r i G R . is is b ea s di r t 

1 m ts i , c a d ar e all g d ra doml ae tim so arol ea o 1 

obtai som of t m ae tim . arol as ait d lo g o g to eoll et 

Oj, Cj a d j/i for r i G R , lie ma as air ad e a g d r pass. 

6 ci c 

ompar it t o -a o mo s I t r t aee ssse m,orserao mo s 

I t r t aee ss protoeol ma r q ir mor eomp tatio al po r. I t is s etio 
a al o t eomp tatio al ort i ol d. 

6. o u r r tio 

ri g t i itial stag r t pass is iss d, a total mb r of 4 ra dom 
i t g rs d to b g rat d. r is s itabl a d larg o g to pr t 
e at from a pot tial parti s, as plai d i etio 5.3. or ampl , if 
= 32, t 2 ra dom mb rs ar g rat d. 

mb r-of-bit of t s ra dom mb rs ar arbitrar . or ampl , 

32-bit bi ar mb rs ar s d, t possibl ariatio for t al s of 
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ri,ai,Ci,di q als 2 = 4294967296. 64-bit bi ar mb r is s d i - 

st ad, t mb r of possibl ariatio s of t s al s is i cr as d to 2 = 

446744 737 955 6 6. ig r t mb r-of-bit, t mor s c r b t slo- 
r of t s st m is. 

6. ig i g o t ss. 

i sig tur t . t I mak s a bli d sig at r o lie ’s 

pass, it d to rif o t pass si g c t-a d-c oos m t od. is i ol s 
t ri catio o t /2 pr s t d T^’s; a d ac of t ri catio i ol s 3 

as s. I also d to rif lie ’s id tit a d t is i ol s o p blie- 

k e rti eat ri eatio . r for t I ds to d rgo 3 /2 as s, o 
e rti eat ri eatio ad p blie-k sig at r it sig s o a pass. 

ig tur t . or t , t o proe d r s ar i ol d i t 

sig i g proe ss. irstl it ri s t Xi, (a^ ), a d for r . is 

i ol s 2 as s. eo dl e eks if t /2 T^’s i ol s i t pass ar alid. 

is r q ir s a ot r as s. r for t ds to d rgo 5 as s 

ad p blie-k sig at r it sig o a pass. 

6. ss i tio 

a s r logi , t I d rgo s ra dom e all g a d e eks if t s r 

is a 1 gitimat old r of t pass. is i ol sag ratio of a /2-bit ra dom 

bi ar mb rad2 ass, r ist mb r of ’s i t bi ar mb r 
a d z G k/2. 

6.4 tit CO r 

t s r misb a s a d is/ r id tit is goi g to b r al d; t is 

simpl r q ir s o s are i g a d o eale latio . 

o eo el d , most op ratio s d rgo i o r protoeol ar as s, a d t 
ar lig t i t rms of eomp tatio al po r [9]. 

7 c i 

I t is pap r a poi t d o t t pri ae probl ms i ol d i I t r t 
aee ss. also propos d a er ptograp ie sol tio to t probl m; ie is mo- 
ti at d b t 1 etro ie eas protoeols. r protoeol s pports a o mo s s r 
logi to a pro sr rsotatt Itr t sag abit of a s r ea ot b 
trae d a d a al d. Ho r t s r ea ot ab s is/ r a o mit b ea s 
o r protoeol abl a misb a d s r’s id tit to b r al d. is is ae i d 

b a k sero m t od i ie a tr st d t ird part k ps alf of t s er t 
abo t t s r’s id tit . 

I additio , o r protoeol r sid so t applieatio la r a d do s ot r q ir 
e a g s i ot r la rs d ri g impl m tatio . it s itabl 1 gislatio , s r 
pri ae of I t r t aee ss ea b prop rl prot et d. 
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a t or o Id lik to t a k rof ssor ictor . . i for is s p r isio o 
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The Pi - -Pi T eigP c PPTP i ed e- 
c e PPP c ec i e T P P i e e [S8],ic- 

f e ea ed e e i he PPTP a he ica i echa i S- 

P , ca ed S- P e e e a e ie f he cha ge 
i he a he ica i adec i-egeeai i fS- 

P,adae hei ee adeaiigeaeei 
ic f PPTP i e e a i 



r d c i 

oint-to- oint nn ling rotocol ( ) [H -1-97] is a protocol t at al- 
io s oint-to- oint rotocol ( ) conn ctions [ im94] to b t nn 1 d t ro g 

an I n t ork, cr ating a irt al rivat t ork ( ). icrosoft as impl - 

m nt d its o n algorit ms and protocols to s pport . is impl m ntation 

of , call d icrosoft , is s d t nsiv 1 in comm rcial pro- 

d cts pr cis 1 b ca s it is air ad a part of t icrosoft indo s 95, 9 , and 
op rating s st ms. 

a t ntication protocol in icrosoft is t icrosoft all ng 

/ pi Hands ak rotocol ( - H ) [Z 9 ]; t ncr ption protocol is 

icrosoft oint to oint ncr ption ( ) [ Z9 ]. ft r icrosoft’s 

as cr ptanal d [ 9 ] and significant akn ss s r p blici d, icro- 

soft pgrad d t ir protocols [Zor9 a,Zor9 b,Zor99j. n v rsion is cal- 
1 d - H V rsion 2 ( - H v2); t old r v rsion as b nr nam d 

as - H V rsion ( - H v ). - H v2 is availabl as an pg- 
rad for icrosoft indo s 95, indo s 9 , and indo s 4. ( .3) 

[ ic9 a, ic9 bj. v n t o g t is pgrad is availabl , b li v t at most 

impl m ntation of s - H v . 

is pap r amin s - H v2 and disc ss s o 11 it addr ss s t 

s c rit akn ss s o tlin d in [ 9 ] . 

au gar ( d.): ’ 7 pp. - 

© pr g r- r ag r d rg 
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most significant c ang s from - H v to - H v2 ar : 

ak r anag r as is no long r s nt along it t stron- 

g r indo s as . is is to pr v nt a tomatic pass ord crack rs lik 

p tcrack [ 99] from first br aking t ak r anag r as and 

t n sing t at information to br ak t strong r as [ 97]. 

n a t ntication sc m for t s rv r as b n introd c d. is is to 
pr V nt malicio s s rv rs from masq rading as 1 gitimat s rv rs. 

c ang pass ord pack ts from - H v av b n r plac d b a 
singl c ang pass ord pack t in - H v2. is is to pr v nt t activ 
attack of spoofing - H fail r pack ts. 

s s niq k s in ac dir ction. is is to pr v nt t trivial 

cr ptanal tic attack of ing t t t str am in ac dir ction to r mov 

t ff cts of t ncr ption [ 9 ] . 

s c ang s do corr ct t major s c rit akn ss s of t original proto- 
col: t incl sion of t anag r as f notion and t s of t sam 

ncr ption k m Itipl tim s. Ho v r, man s c rit probl ms ar still 
naddr ss d: .g., o t cli nt prot cts its If, t fact t at t ncr ption k 

as t sam ntrop as t s r’s pass ord, and t fact t at no g data is 

pass d on t ir to alio attack rs to mo nt cr pt-and-compar attacks. 

is b ing said, icrosoft obvio si took t is opport nit to not onl fi 
som of t major cr ptograp ic akn ss s in t ir impl m ntation of , 

b t also to improv t q alit of t ir cod . n v rsion is m c mor 
rob st against d nial-of-s rvic st 1 attacks and no long r 1 aks information 
r garding t n mb r of activ s ssions. 

, rsi s ad 

- H V c all ng /r spons m c anism as d scrib d in [ 9 ]. It 

consists of t folio ing st ps: 

li nt r q sts a login c all ng from t rv r. 

2. rv r s nds back an -b t random c all ng . 

3. li nt s s t anag r as of its pass ord to d riv t r 

k s. ac of t s k s is s d to ncr pt t c all ng . 11 1 r ncr pt d 

blocks ar concat nat d into a 24-b t r pi . li nt cr at s a s cond 24- 

b t r pi sing t indo s as and t sam proc d r . 

4. s rv r s s t as s of t li nt’s pass ord, stor d in a databas , 

to d cr pt t r pli s. If t d cr pt d blocks mate t c all ng , t a t- 

ntication compl t s and s nds a “s cc ss” pack t back to t cli nt. 

is c ang as b n modifi d in - H v2. folio ing is t r vis d 
protocol: 

li nt r q sts a login c all ng from t rv r. 

2. rv r s nds back a 6-b t random c all ng . 
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3a. li nt g n rat s a random 6-b t n mb r, call d t “ r t nti- 

cator all ng 

3b. li nt g n rat s an -b t c all ng b as ing t 6-b t c all ng 

r c iv d in st p (2), t 6-b t r t nticator all ng g n rat d in 
st p (3a), and t li nt’s s rnam . ( ction 3 for d tails.) 

3c. li nt cr at s a 24-b t r pi , sing t indo s as f nction 

and t -b t c all ng g n rat d in st p (3b). is proc ss is id ntical to 
- H V . 

3d. li nt s nds t rv r t r s Its of st ps (3a) and (3c). 

4a. rv r s s t as s of t li nt’s pass ord, stor d in a databas , to 

d cr pt t r pli s. If t d cr pt d blocks mate t c all ng , t li nt 
is a t nticat d. 

4b. rv r s s t 6-b t r t nticator all ng from t cli nt, 

as 11 as t li nt’s as d pass ord, to cr at a 2 -b t “ t nticator 
spons .” ( ction 5 for d tails.) 

5. li nt also comp t s t t nticator spons . If t comp t d r - 

spons mate s t r c iv d r spons , t rv r is a t nticat d. 

g n ral d scription oft c ang s b t n - H v and - H v2 

is giv n in ig r . is protocol orks, and liminat s t most s rio s akn- 
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as . s r t o difF r nt as s of t sam s r pass ord. 
anag r as is a m c ak r as f nction, and pass ord-crack r programs 
s c as p tcrack r abl to br ak t anag r as and t n s t at 

information to br ak t indo s as [ 97] . liminating t a- 

nag r as in - H v2, icrosoft as mad t is divid -and-conq r attack 

impossibl . till, t s c rit of t is protocol is bas d on t pass ord s d, and 
p tcrack can still br ak ak pass ords sing a dictionar attack [ 99]. 
s ill disc ss lat r, m Itipl la rs of as ing ar s d in t diff r nt 



st ps of 


H v2. il t is 


as ing s rv s 


to obsc r som 
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val 


s, 


it is ncl ar 


at t cr ptograp 


ic significanc 


of t m ar . 11 t s 


m 


to 


do is to slo 


do n t c tion of t protocol. 
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: ri i 
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4- 


sp s 












In - H 


V , t rv r s nds t li nt an 


-b t random c 


all ng 




is 


c all ng is 


s d, tog t r it t 


li nt’s pass ord and a as 


f nction, 


to 


cr at a pair 


of 24-b t r spons s. 













In - H v2, t rv r s nds t li nt a 6-b t c all ng . is c al- 
1 ng is not s d b t li nt dir ctl ; t li nt d riv s an -b t val from 
t is 6-b t c all ng . d rivation proc ss is as folio s: 



li nt cr at s a 6-b t random n mb r, call d t r t nticator 
all ng . 

2. li nt concat nat s t r t nticator all ng it t 6-b t 
c all ng r c iv d from t s rv r and t li nt’s s rnam . 

3. cli nt as s t r s It it H - [ I 93]. 

4. first ig t b t s of t as b com t -b t c all ng . 

It is t s b t s t at t li nt ill s to ncr pt t 6-b t local pass ord 
as ( sing t indo s as f nction) to obtain t 24-b t r spons , 
ic t li nt ill s nd to t s rv r. is m t od is id ntical to - H v , 
and as b n d scrib d in [ 9 ]. 

sis 

It is ncl ar to s t is protocol is so complicat d. t first glanc , it s ms 
r asonabl t at t li nt not s t c all ng from t rv r dir ctl , sine it 
is kno n to an av sdropp r. t inst ad of d riving an c all ng from som 
s cr t information — t pass ord as , for ampl — t li nt s s a niq 

random n mb r t at is s nt to t rv r lat r in t protocol. r is no 
r ason t li nt cannot s t rv r’s c all ng dir ctl and not s t 
r t nticator all ng at all. 
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4 - : ri i 4- sp s 

ot - H V and - H v2 s t sam proc d r to d riv a 24-b t 
r spons from t -b t c all ng and t 6-b t pass ord as : 

6-b t as is padd d to 2 b t s b app nding fiv ro b t s. 

2. t X,V, Z b t t r cons c tiv 7-b t blocks of t is 2 -b t val , 
and 1 t C b t -b t c all ng . 24-b t r spons R is calc lat d as 

i?=( X(C), y(C), z(C)}. 

4 . sis 

is complicat d proc dr cr at s a s rio s akn ss in t - H proto- 
cols: it alio s t attack r to sp d p dictionar k s arc b a factor of 2 , 

ic is a pr tt d vastating ff ct giv n t r lativ 1 lo ntrop of most s r 
pass ords. 

ppos t at av sdrop on a - H conn ction. r spons R is 
pos d in t cl ar, and t c all ng C ma b d riv d asil from p blic 

information. ill att mpt to r cov r t pass ord, sing t kno 1 dg t at 

man pass ords ar clos 1 d riv d from dictionar ords or ot r is r adil 
g ssabl . 

ot first t at t val of Z can b asil r cov r d: sine t r ar onl 2 
possibiliti s for Z, and av a kno n plaint t-cip rt t pair C, z{C) 

for Z, ma tr ac of t possibiliti s for Z in t rn it a simpl trial 

ncr ption . is disclos s t last t o b t s of t as of t pass ord. 

ill s t is obs rvation to sp d p dictionar s arc . In a on -tim 

pr comp tation, as ac of o r g ss s at t pass ord (p r aps as minor 
variations on a list of ords in a dictionar ) . sort t r s Its b t last t o 

b t s of t ir as and b rn t is on a - (or a small ard driv ). n, 

n s a - H c ang , ma r cov r t last t o b t s of t 
as ( sing t m t od o tlin d abov ) and amin all t corr sponding 
ntri s on t - . is giv s s a list of pla sibl pass ords ic av 

t rig t val for t last t o b t s of t ir as ; t n can tr ac of 
t os possibiliti s b br t fore . 

ppos a naiv dictionar attack o Id s arc N pass ords. In o r attack, 
tr onl t pass ords ic av t rig t val for t last t o b t s of t ir 

as , so p ct to tr onl abo t A^/2 pass ords. is impli s t at t 
optimi d attack r ns abo t 2 tim s fast r t an a standard dictionar attack, 
if can afford t spac to stor a pr comp t d list of possibl pass ords. 

is attack is applicabl to bot - H v and - H v2. Ho v r, 
t akn ss is m c mor important for - H v2, b ca s for - H v 
it is asi r to attack t an anag r as t an to attack t as . 

is is a s rio s akn ss ic co Id av b n asil avoid d m r 1 b 

sing a standard cr ptograp ic as ing primitiv . or instanc , m r 1 g n ra- 

ting t r spons as i? = H - ( as , C) o Id b no g to pr v nt t is 
attack. 

Thi ha bee ideede beedb Rebg 
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ot also t at t - H r spons g n ration algorit m is also a ak 
link, V n n pass ords contain ad q at ntrop . It is cl ar t at t 
as can b r cov r d it j st t o a stiv k s arc s (abo t 2 

trial d cr ptions on av rag ), or in j st 9 da s sing a singl 
rack r mac in [ il9 ]. nc t as is r cov r d, all ncr pt d s ssions 

can b r ad and t at ntication sc m can b crack d it no ffort. is 

sostatjVn n sing 2 -bit 4 k s, t - H protocol provid s 
at most t q ival nt of 57-bit s c rit . is akn ss co Id also av b n 
avoid d b t simpl c ang s gg st d abov , i? = H - ( as ,C). 

It is not cl ar to s t - H v2 d sign rs c os sc a complicat d 
and ins c r algorit m for g n rating 24-b t r spons s, n a simpl r and 
mor s c r alt rnativ as availabl . 

5 - : ri i - ica r 

sp s 

In - H v2, t rv r s nds t li nt a 2 -b t t nticator spons . 

li nt calc lat s t sam val , and t n compar s it it t val r - 

c iv d from t rv r in ord r to compl t t m t al a t ntication proc ss. 
is val is cr at d as folio s: 

rv r (or t li nt) as s t 6-b t pass ord as it [ iv9 ] 
to g t pass ord- as - as . ( rv r stor s t cli nt’s pass ord as d 

it 4; t is is t pass ord as val .) 

2. rv r t n concat nat s t pass ord- as - as , t 24-b t r - 

spons , and t lit ral string “ agic s rv r to cli nt constant”, and t n 

as s t r s It it H . 

3. rv r concat nat st 2 -b t H o tp t from st p (2), t initial - 

b t g n rat d c all ng (s ction 3) and t lit ral string “ ad to mak 

it do mor t an on it ration” , and t n as s t r s It it H . 

r s Iting 2 btsar t mtalat nticator r spons . 



5. sis 

gain, t is proc ss is m c mor complicat d t an r q ir d. r is no r ason 
to s H t ic ; a singl as ing as t sam s c rit prop rti s. 

6 al sis 

do not kno icrosoft c os s c a complicat d protocol, sine t is is 

not strong r t an t folio ing: 

rv r s nds t li nt an -b t c all ng . 

Thi ha bee i de e de b e ed b P e 
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2. li nt ncr pts t 6-b t local pass ord as it an -b t c all ng 
and s nds t rv r t 24-b t r spons , an -b t c all ng of its o n, 
and t s rnam . 

3. rv r s nds a pass/fail pack t it a 24-b t r spons to t li nt’s 
c all ng , ic is t s r’s pass ord- as - as ncr pt d it t li nt’s 

-b t c all ng . 

do nsid to t - H v2 protocol is t at an av sdropp r can obtain 
t o copi s of t sam plaint t, ncr pt d it t o diff r nt k s. Ho v r, in 
t c rr nt mod 1, ate ing t n t ork for an 1 ngt of tim ill still giv o 
m Itipl copi s of a s r c all ng /r spons as t s r logs in and o t, ic 
ill b ncr pt d it diff r nt k s. 

s it stands, a passiv list n r is still abl to g 1 1 -b t c all ng and t 
24-b t r spons from t information s nt. pop lar ack r tool p tcrack 

[ 97], ic br aks indo s pass ords, orks it t is data as inp t. is 
task as m c asi r it - H v , sine t ak r anag r as 

as s nt alongsid t strong r indo s as ; p tcrack first brok t 

form r and t n s d t at information to br ak t latt r [ 99] . p tcrack can 
still br ak most common pass ords from t indo s as alon [ 97]. 

nd t is still do s not solv t probl m of sing t s r’s as for 

k ing, a t ntication, tc. it o t n gotiating, at 1 ast, mac in p blic 

k /privat k m t ods of c anging s c an important k . 

6. ersi ck cks 

inc icrosoft as att mpt d to r tain som back ards compatibilit it 

- H V , it is possibl for an attack r to mo nt a “v rsion rollback attack” 

against - H . In t is attack, t attack r convinc s bot t li nt and 

t rv r not to n gotiat t mor s c r - H v2 protocol, b t to s 

t Issscr -H V protocol. 

In its doc m ntation, icrosoft claims t at t op rating s st ms ill tr 
to n gotiat - H v2 first, and onl drop back to - H v if t first 
n gotiation fails [ ic99]. dditionall , it is possibl to s t t rv r to r q ir 

- H v2. find t is sc nario impla sibl for t or asons. n , t soft- 

ar s itc s to t rn off back ards compatibilit ar r gistr s ttings, and can 

b diffic It to find, nd t o, sine old r v rsions of indo s cannot s pport 

- H v2, back ards compatibilit m st b t rn d on if t r ar an 1 gac 

s rs on t n t ork. concl d t at v rsion rollback attacks ar a significant 

t r at. 

7 as 

original ncr ption m c anism in icrosoft’s oint to oint ncr ption 
protocol ( ) s d t sam ncr ption k s in ac dir ction ( li nt to 

rv r, and rv r to li nt). inc t b Ik data ncr ption ro tin is t 4 
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str am cip r [ c 96], t is cr at d a cr ptograp ic attack b ing t to 

str ams against ac ot r and p rforming standard cr ptanal sis against t 

r s It. 

In t mor r c nt v rsion, t k s ar d riv d from - H v2 

cr d ntials and a niq k is s d in ac dir ction. k s for ac dir c- 
tion ar still d riv d from t sam val (t li nt’s pass ord as ), b t 
diff r ntl d p nding on t dir ction. 

7. eri i esr - reels 

k s can b it r 4 bits or 2 bits, and t can b d riv d from it r 

- H V cr d ntials or - H v2 cr d ntials. original d rivation 
protocol (from - H v ) as d scrib d in [ 9 ]. ri fl , t pass ord 

as is as d again sing H , and t n tr neat d. or a 4 -bit k , t H 

as is tr neat d to 64 bits, and t n t ig -ord r 24 bits ar s t to 0xD1269E. 
or a 2 -bit k , t H as is tr neat d to 2 bits. is k is s d to 

ncr pt traffic from t li nt to t rv r and traffic from t rv r to t 
li nt, op ning a major s c rit v In rabilit . is as b n corr ct d in 
H v2. 

riving k s from - H v2 cr d ntials orks as folio s: 

. Has t 6-b t pass ord as , t 24-b t r spons from t 
H v2 c ang , and a 27-b t constant (t string “ is is t 

ast r K ”) it H . r neat to g t a 6-b t mast r-mast r k . 

2. sing a d t rministic proc ss, conv rt t mast r-mast r k to a pair of 

s ssion k s. 

or 4 -bit s ssion k s, t is is don as folio s: 

. Has t mast r-mast r k ,4 b t s of 0x00, an 4-b t constant and 4 

b t s of 0xF2 it H . r neat to g t an -b t o tp t. 

2. t t ig -ord r 24 bits of 0xD1269E, r s Iting in a 4 -bit k . 

magic constants ar diff r nt, dp nding on t r t k is s d to 

ncr pt traffic from t li nt to t rv r, or from t rv r to t li nt. 

or 2 -bit s ssion k s, t proc ss is as folio s: 

. Has t mast r-mast r k ,4 b t s of 0x00, an 4-b t constant (magic 

constant 2 or 3), and 4 b t s of 0xF2 it H . r neat to g t a 6-b t 

o tp t. 

7. sis 

is modification m ans t at niq k s ar s d in ac dir ction, b t do s 
not solv t s rio s probl m of ak k s. k s ar still a f notion of 
t pass ord, and nc contain no mor ntrop t an t pass ord. v n 
t o g t 4 algorit m ma t or ticall av 2 -bits of ntrop , t act al 
pass ords s d for k g n ration av m c 1 ss. is aving b n said, sing 
diff r nt k s in ac dir ction is still a major improv m nt in t protocol. 
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7. 
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ic s s? 


ar 


V r cone rn d 


it 


t magic constants mb dd d in t k d rivation 


algorit 


m for 


port- 


ak 


n d k s. 



protocol ak ns 4 k s to 4 bits b fi ing t ig bits of t 
64-bit 4 k to 0xD1269E. t t is s ms dang ro s. It is kno n t at, if 

an adv rsar is alio d to c oos t ig bits of t 4 k , t adv rsar 

can fore o into a ak k class for 4 [ oo95, ag95]. r for , if t 
- H d sign rs — or t port-r vi r folks — ant d to mb d a 

trapdoor in t protocol, t co Id ploit t pr s nc of magic constants to 
ak n 4. 

do not kno t r k s pr fi d it 0xD1269E ar ns all ak, 
b t in o r pr liminar statistical t sts av fo nd som s spicio s prop rti s 
of s c k s t at 1 av s s it som ca s for cone rn. o giv t o ampl s: 

mpirical m as r m nts so t at t first f b t s of o tp t ar bias d, 

for k s ic start it 0xD1269E. first and s cond k str am b t s 

tak on t val s 0x09 and 0x00 it probabiliti s . 54 and . 6 , 

r sp ctiv 1 . is is notic abl ig r t an t /256 = . 39 probabilit 

o ’d p ct from good cip r. 

k sc d 1 mi s som ntri s in t stat tabl poorl , for t is class 

of k s. or instanc , S'[ ] = 0xF8 olds it probabilit .3 « /e, and 

S' [2] = 0x98 olds it a similar probabilit . 

s statistical prop rti s ar orrisom . 
ca s no information is giv n on o t val 0xD1269E as c os n, on 

as to orr t at it co Id 11 b a “trapdoor c oic ” ic fore s all 4 -bit k s 

into som ak k class for 4. invit t - H d sign rs to op nl 

disclos o all magic constants r c os n and to provid concr t ass ranc s 

t at t os magic val s don’t cr at an idd n trapdoors. In t m antim , 

1 av it as an op n q stion to asc rtain tr 4isscr nsdit 
t fi d k -pr fi 0xD1269E. 

ack p r - ak d ri a i 

In t is s ction pr s nt a v r s rio s attack on t a t at portabl 4 -bit 
s ssion k s ar g n rat d. is akn ss is also pr s nt in - H v as 11 

as - H v2, b t it as not b n discov r d ntil no . 

nd r s It is t at t so-call d “4 -bit k s” r all onl av an ff ctiv 
str ngt of abo t 26 bits, s a r s It, t port- ak n d protocol can b 
crack d in n ar-r altim it onl a singl comp t r . 

T da c e ee be ab e e ec d, hich gge ha 

each e ca be c ac ed i e hi g i e a a e f a h ie fa 

i eeai ,heeeiae i ece aibee gh iha ac e 
f c e , he c ac i g e f a ce ca be g ea i c ea ed 
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r call t at t k d rivation proc ss app nds 4 s cr t bits (g n rat d 
in som a ic is irr 1 vant to o r attack) to t fid val 0xD1269E. 

r s Iting 64-bit s ssion k is to 4- ncr pt t transmitt d data. probl m 

is t at t is proc ss introd c s no p r-s ssion salt (compar to, .g., ), and 

t s can b brok n it a tim -spac trad off attack. 

or t r maind r of t is s ction, ass m t at can obtain a s ort 

s gm nt of kno n plaint t (4 bits s o Id s ffic ) at som pr dictabl location. 

kno n plaint t n d not v n occ r at cons c tiv bit locations; t onl 
r q ir m nt is t at t bit positions b pr dictabl in advanc . is s ms to b 
a V r pla sibl ass mption, n on consid rs t q antit of kno n ad rs 

and ot r pr dictabl data t at is ncr pt d. t s ass m for simplicit of 

d scription t at t is kno n plaint t occ rs at t start of t k str am. 

ill attack t is protocol it a tim -spac trad off. cost of a 1 ngt 
pr comp tation is amorti d ov r man s ssions so t at t incr m ntal cost of 

br aking ac additional s ssion k is r d c d to a v r lo val 

naiv attack r mig t consid r b ilding a look p tabl it 2 ntri s, 
listing for ac possibl 4 -bit k t val of t first 4 bits of k str am t at 
r s Its. is r q ir s a 2 pr comp tation, b t t n ac s bs q nt s ssion 

k can b brok n tr m 1 q ickl ( it j st a singl tabl look p) . Ho v r, 

in practic t is attack is probabl not v r practical b ca s it r q ir s 2 
spac . 

tim -spac trad off alio s s to r d c t spac r q ir m nts of t naiv 
attack b trading off m mor for additional comp tation. onsid r H liman’s 
tim -spac trad off [H 1 ]. or a n-bit k , H liman’s trad off r q ir s a 2" 
pr comp tation and 2 spac , and t n vr sbsq nts ssion k can b 
brok n it j st 2 "/ ork. ( t r trad offs ar also possibl .) 

or - H ’s 4 -bit k s, n = 4 , and 2n/3 « 26, so o g t an attack 
t at br aks ac s ssion k it appro imat 1 2 ork. attack r q ir s 
a 2 pr comp tation and 2 spac ,btt srqirm nts ar asil m t. 

is m ans t at t port- ak n d v rsions of - H off r an ff ctiv 
k 1 ngt of onl abo t 26 bits or so, ic is m c 1 ss t an t claim d 4 

bits of str ngt . is is a d adl akn ss. 

cl si s 

icrosoft as improv d to corr ct t major s c rit akn ss s d - 

scrib d in [ 9 ]. Ho v r, t f ndam ntal akn ss of t at ntication 

and ncr ption protocol is t at it is onl as s c r as t pass ord c os n b 

t s r. s comp t rs g t fast r and distrib t d attacks against pass ord fi- 

1 s b com mor f asibl , t list of bad pass ords — dictionar ords, ords 

it random capitali ation, ords it t addition of n mb rs, ords it 
n mb rs r placing 1 tt rs, r v rs d ords, acron ms, ords it t addition 

of p net ation — b com s larg r. inc a t ntication and k - c ang pro- 
tocols ic do not alio passiv dictionar attacks against t s r’s pas- 

s ord ar possibl — ncr pt d K c ang [ 92, 94] and its variants 
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[ ab96, ab97, 9 ], I c — it s ms impr d nt for icrosoft to contin to 

r 1 on t s c rit of pass ords. r op is t at contin s to s a 

d din in s as I c b com s mor pr val nt. 

r c s 
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ar c rr ntl at th point, d to th normo s s rg of Int rn t s , hr 
a larg -seal blic K Infrastr ct r ( KI) is abo t to b d plo d. n th 

oth r hand, anoth r s t of r q ir m nts s gg st that d cr ption k s sho Id b 

au gar ( d.): ’ , 7 , pp. - , 

(c) pr g r- r ag r d rg 
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scro d. his is asil j sti abl in orld id d plo m nt of s st ms h r 
m dical r cords can b acc ss d, t picall b th cli nt, b t onl in an m rg nc 

sing scro m chanisms. Iso, go rnm nts ar int r st d in s c ring acc ss to 

t 1 phon s st ms for la nforc m nt (this last iss is politicall contro r- 
sial, b t o r tr atm nt is onl t chnical). ost if not all of th arl propos d 

k scro sch m s s ff r from at 1 ast on form of dra back or anoth r (t pi- 

call from inh r nt incompatibiliti s ith soft ar bas d r g lar KIs). h s 
incl d th n d for “tamp r-r sistant” d ic s, .g., lipp r and apston , ad- 

d d o rh ad of protocol int raction b t n s rs and th scro a thoriti s, 

th n d for “tr st d third parti s” to g n rat cr ptographic k s and b ac- 

ti in th s r-to- s r transactions, and r q iring chang s in protocols hich 

ar o tsid th cr ptographic s st m. 

In fact, th probl m of impl m nting an scro d KI ffici ntl is r gard d 
as too diffic It a probl m to achi b an mb r of r s arch rs, cr ptograph rs, 

and s c rit p rts [K- ]. In anoth r pap r [ Y97], formal arg m nts ar pr - 

s nt d plaining h b ilding k scro on top of a p blic-k s st m is a 

non-tri ial task ( n h n third parti s ar alio d to b pr s nt). h arl at- 

t mpts to pr s nt scro d ncr ption, ind d, propos d s st ms m ch diff r nt 
than arg lar KI. to- co rabl to- rti abl cr ptos st ms att mpt 

to sol th ffici nc (and compatibilit ) probl ms that ar pos d to scro d 

KI’s, and do not claim to r sol th ongoing conflict b t n pri ac ad ocat s 
and thos s king acc ss to scro d k s. r mark that nlik r c nt scro 
proposals hich gi th scro a thoriti s onl acc ss to som fraction of th 
scro d information ( .g., as in [ 97]), to- co rabl to- rti abl 

cr ptos st ms gi th scro a thoriti s acc ss to all ncr pt d information 
h n a thori d. Ho r, th acc ss do s not ha to b to a k , rath r it 
can ha r small gran larit hich nabl s acc ss to an indi id al m ssag . 

b li that gran lar acc ss [ Y95] is mor acc ptabl than partial acc ss 

hich impli s f rth r comp tational costs in r co ring th m ssag (th cost 

ff cti n ss is not j sti d from an ngin ring point of i and th d la of 

partial r co r ma not b tol rabl ) . 

I itial r 1 p ci cati 

h folio ing ar sp ci cations of soft ar scro d KI as can b d ri d from 
isting doc m nts, disc ssions in th cr ptographic comm nit , and approach s 
to s st ms d lopm nt: 

t ar i pi tati ach and r s st m compon nt do s not 
r q ir tamp r-proof hard ar . 

2. t ar distrib ti h soft ar that s rs mplo is p blic (and 
h nc is asil distrib t d). 

3. K s 1 -g rati s rs g n rat th ir o n pri at k s ind p nd ntl 

and ffici ntl . h pri at k s (or m ssag s ncr pt d b th s k s) ar 
r CO rabl b th scro a thoriti s onl . 
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4. s r at riti s iialitr ti h scro a thoriti s act 

onl at th s st m’s s t- p, and h n k r co r is n d d. 

5. KI- patibl rti ati pr ss o c rtif a k , a s r s nds on 

m ssag r q sting c rti cation to th rti cation thorit ( ), as in 

a r g lar p blic k infrastr ct r . his m ssag is cr at d b an fhci nt 
proc d r , p rform d ind p nd ntl b th s r alon . 

6. rti d k s ar r rabl s r’s p blic k is c rti d b a r- 

ti cation thorit ( ) onl if th corr sponding pri at k is ri d 

to b r CO rabl b th a thoriti s. his ri cation is cond ct d sol 1 

from th m ssag that forms th r q st for c rti cation; th ri cation is 

s cc ssf 11 if and onl if th k is r co rabl ith r high probabilit . 

7. KI- patibl rti at s s r’s k in th c rti cat sho Id incl d 
th sam information as in a r g lar p blic k . 

i rsal ri abilit r rabilit pon r q st, a s r can pr - 
s nt th m ssag that forms th r q st for c rti cation to an part and 

this part can rif that th pri at k is r co rabl b th a thoriti s. 

9. fRitr r hk r CO r proc d r is fhci nt (it can pr f ra- 
bl b don b distrib t d parti s, .g., sing thr shold cr ptograph [ 9] 

and ri abl s cr t sharing hich ha b n d lop d in th ’s). 

KI- patibl s r s st h s st m is as as for s rs as a p - 
blic k cr ptos st m, and can b impl m nt d in soft ar . ch a sol tion 

th r for constit t s a r d ction of a KI ith a rti cation thorit 
[Koh7 ] to an scro d p blic k infrastr ct r ith th sam con g ra- 
tion. inc s ch a sol tion can b impl m nt d s c r 1 in soft ar , it can 

b impl m nt d and distrib t d in so rc cod form, th s making it as as 
to distrib t and s as a p blic k soft ar packag ( .g., ). 

KI- patibl s t ar /ar it t r la rs rom an infrastr ct r 
and s st ms int gration p rsp cti , th s sp ci cations diff r ntiat b t- 

n ario s ind p nd nt la rs. h rst la r consists of th scro a t- 

horiti s, ho act onl at th tim th s st m is stablish d and ho act onl 
h n a pri at k n ds to b r co r d. h lat r action is p rform d ith- 
o t int rfacing ith s rs. h s cond la r is th p blic-k infrastr ct r , 

hr s rs and ’s g n rat c rti d k s hos corr sponding pri at 

k s ar pri at to th s rs. h third la r is th s of th c rti dp blic 

k s ithin comm nication and storag applications. In s ch a s st m th 

third la r is r lat d to th s cond la r as in a r g lar p blic k infrastr c- 
t r . 

2. i ati r t 1 patibilit h sol tion sho Id not 

chang h ad rs and m ssag so tsid th KI protocols; .g., comm nicating 
parti s s isting comm nication protocols. 

3. plia ass ra In [ Y95, Y97] rank 1 and Y ng not that an 

scro ncr ption sch m can al a s b b pass d (hard ar or soft ar ). 
his is d to nd r- ncr pting, o r- ncr pting, tc. h s, go rnm nts 

cannot hop to sol misb ha iors in g n ral. hat is important is th 

d nition gi n in [ Y95] hich sa s that “as long as th parti s mplo th 
m chanisms pro id d for con d ntialit b th s st m, th scro capabilit 
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sho Id b nabl d” . In an to- co rabl to- rti abl s st m, th 
ti s th c rti cation of k s to ass r that s cr t k s ar scro d. It s ms 
that this is a prop r choic of control sine in ord r to b pass th s st m, 
s rs ill ha to s anoth r s st m or s an na thori d modi cation of 
th s st m. Iso, not p rforming th ‘ass ranc of scro ’ b th at th 
infrastr ct r 1 1 ma ca s probl ms in s st m d sign, as point d o t in 

[ Y97]. 

4. rit h p blic k is as s c r as a k in a KI against all parti s 

([YY9 ] and [YY99]r q ir an additional ass mption for ach, b t onl for 

arg ing s c rit against th , h r as it is possibl to r d c th s c rit 

of th k to a kno n ass mption, oth r is ). 

5. ad -p bli -k r sista noth r asp ct of s c rit is that th 

s st m sho Id not contain a s bliminal chann 1 that nabl s “shado p blic- 
k ” distrib tion [K 95]. ch a prop rt is hard to pro , b t at th r 

1 ast it sho Id b r q ir d that hat is p blish d to th g n ral p blic in th 
k scro s st m is th sam information as hat is p blish d in a r g lar 
p blic k s st m. 

hr ar thr additional r q ir m nts hich ar oft n d sir d in man 
applications: 

6. st n d to ha th s st m b of r lati lo r so rc cost. In 

partic lar, h r as th s r sho Id ha no additional cost h n compar d 
to an n scro d KI s r, th ma ha som additional cost ( .g., a 
mod rat incr as in m mor and proc ssing, tho gh this m mor ma b 

maintain d at th scro a thoriti s as 11) and th onl r al additional 

cost is in managing and op rating th scro a thoriti s ( hich is a r q i- 
r d cost). t pical cost of th a thoriti s and th n ds for th ir s c rit 
sho Id b compatibl ith th corr sponding cost and n ds of a (p rhaps 
distrib t d) 

7. ra larit s r noth r prop rt hich ma b r q ir d is that 

rath r than op ning k s of s rs, th a thoriti s op n s ssion k s hich 

ar ncr pt d nd r th p blic k s of s rs. h s ssion k is op nabl 

r gardl ss of hich of th to s rs in th s ssion has b n a thori d as 
a targ t for k scro . h notion of gran larit in taking a k o t of 

scro as d alt ith in [ Y94, Y95] and b nstra, inkl r, and 

Yacobi [ Y95]. his prop rt is t picall a f nction of th k of th 

scro a thorit (b t can b al a s achi d if th a thoriti s, rath r than 
a larg n mb r of s rs, ar impl m nt d in tamp r-proof hard ar ) . 

as t s r tr st In a KI s tting th s st m’s tr st is ith 
th ; it ma b d sirabl in an scro KI s tting that tr st r main ith 
th . In to- CO rabl to- rti abl cr ptos st ms it is possibl 
for th to r tain critical scro d information for ach s r (tho gh th 

cannot acc ss it), and th s collaboration can b mad n c ssar to 

tak information o t of scro , th s making th tr st r main ith th 
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t - c ra 1 t - rti a 1 r pt s st s: 
ral tr ct r 

h pap rs [YY9 ] and [YY99] d scrib t o difF r nt to- co rabl to- 

rti abl r ptos st ms s ch that h n ach is r n an 1 amal [1 5] p - 

blic/pri at k pair, an scro d ncr ption of th pri at k , and a proof 

that th scro a thoriti s can r co r th pri at k is prod c d for th s r. 

h proof, in addition to th ‘ ncr ption’ of th pri at k , has b n call d a 
rti at r rabilit . his c rti cat is p blicl ri abl and ass - 
r s that th pri at k is scro d prop rl . In short, ach algorithm d scrib s 
ho to constr ct a string hich constit t s an implicit ncr ption of th pri at 

k a; nd r th scro a thoriti s k and a non-int racti ro-kno 1 dg 

( IZK) proof that alio s a pro r to pro to a ri r that h r pri at k a; 
in y = mod p is th sam as in th implicit ncr ption. H nc , a rti ca- 
tion thorit ( ) can insist that a s r ho s bmits h r o n p blic k for 

p blication also s bmits th c rti cat j st d scrib d. Ha ing don so, th 

can b c rtain that x is scro d prop rl , itho t r 1 arning x its If. h 
primar diff r nc b t n th t o algorithms is that th p blic k of th s- 

cro a thoriti s in [YY9 ] is a discr t log bas d p blic k , h r as in [YY99] 

it is an mod 1 s. 

mphasi that th proofs and ncr ptions mplo d ar fhci nt and do 
not contain ncr ptions of circ its and g n ral proofs hich mplo s ch con- 
str ctions ( hich ar t picall pla sibilit r s Its rath r than act al s st ms). 

nc th k s ar c rti d b th , th ir s ithin th s st m is as in a 

r g lar KI bas d on 1 amal/ iffi -H liman k s. K r co r is an fhci nt 

proc d r b t n th and th scro a thoriti s, ho ar oth r is not 

acti . h coop ration ith th is n d d, t th cannot r co r th 
k s. 

or s c rit th primar cr ptographic ass mption that is mad is that 
th iffi -H liman ( H) probl m is hard, his ass mption is s d for s c rit 

against ad rsari s. or th s r to b s c r from th , ach of th afo- 

r m ntion d to- co rabl to- rti abl r ptos st ms r q ir s a n 
cr ptographic ass mption. ot that th H ass mption is air ad r q ir d b - 
ca s th 1 amal K is s c r if and onl if th H probl m is hard. to 
th non-int racti nat r of th c rti cat s of r co rabilit , a random oracl 
cr ptographic hash ass mption (for H ) is also r q ir d for th alidit of 
th proofs ithin th c rti cat . 

h c rti cat of r co rabilit to th is not mad p blic to a oid shado 
p blic ab s . 



lat d rk 

ario s tamp r-r sistant hard ar sol tions ha b n propos d, lik th . . 
go rnm nt’s lipp r chip and apston chip, h s sol tions ar nd sirabl 
for s rs sine th r q ir sp cial hard ar , and sine s cr t nscr tini d 
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algorithms ha to b tr st d. ( [YY96,YY97a,YY97b] for pot ntial probl ms 

ith s ch d signs). Iso, attacks has b n fo nd ( .g., [ Y95]). 

air blic K r ptos st ms ( K ) is a p blic k scro s st m that 

can b impl m nt d in soft ar [ i92] . n of th probl ms ith K ’s is that 

r s r m st split his or h r pri at k and s nd th shar s to th a thoriti s. 

h a thoriti s m st th n int ract to ins r that th k is scro d. o, th 
s st m has mor comm nication o rh ad than a t pical p blic k s st m. 

Iso, K ’s can b ab s d ia th s of shado p blic k cr ptos st ms, as 

sho n b Kilian and ighton [K 95] . Kilian and ighton propos dak scro 
sol tion call d ailsaf K scro ( K ) to th shado p blic k ab s 
probl m. Ho r, in so doing K ’s r q ir n mor protocol int raction to 
scro k s than K ’s. 

“ ra d- t ctabl It rnati to K - scro roposals” bas d on 1 a- 

mal as d scrib d in [ 97]. his s st m, call d binding 1 amal, alio s s rs 

to s nd ncr pt d information along ith a pol -si d proof that th s ssion k 
that as s d in th ncr ption can b r co r d b th scro a thoriti s. It 

as point d o t in t o diff r nt r mp s ssion pr s ntations at rocr pt ’97 

that it is possibl to s th m ans pro id d b th binding 1 amal s st m to 
d f at th scro capabilit [ 97, 97]. 

iti s 

Informall , an to- co rabl and to- rti abl cr ptos st m is a s st m 

that alio s a s r to g n rat a to-c rti abl k s (k s ith a proof of th 
m thod of g n ration) ffici ntl . h folio ing is a formal d nition. 

iti . t - c ra I a t - rtifia I r t s st m is a tri- 

l ( REC) ( hr RECma a m-t I (REC REC ... RECm) 

s ch that 

is a lid I -tim r a ilistic ri g achi that ta s 

i t a g rat s th tri I (K K P) hich is I ft th ta as t t. 

H r K is a ra ml g rat ri at a K is th c rr s i g 

lie . P is a I -si c rtificat that r s that K is r c ra I 

th scr a th riti s si g P. 

2. is a lid I -tim t rmi istic ri g achi that ta- 

s (K P) its i t ta a r t r s a la al . ith r high 

r a Hit r t r s tr iff P ca s t r c r th ri at 

K . 

3. REC is a t rmi istic ri g machi ith a ri at i t. r a istri- 

t im I m tati RECi hr i m is a I -tim t rmi istic 
ri g achi ith a ri at i t that ta s P as i t a r t r s shar 

i f K its ta as t t ass mi g that K as r rl scr . ( 

s ts f) th ri g achi s RECi f f i m ca s c lla rati I 

t r c r K . 

. R is i tracta I t r c r K gi K a P ith t REC ( r REC ... 

REC^). 
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t ill d n informall th st ps tak n in a blic K Infrastr ct r 
( KI) and in an to- co rabl to- rti abl KI. ti folio ing is th 

str ct r (protocol) of a blic K Infrastr ct r : 

’s addr ss s and param t rs ar p blish d and distrib t d. 

a) ach s r g n rat sap blic/pri at k pair, and s bmits th p blic 

k , along ith an I string, to a 

b) h ri s th I string, c rti s th p blic k (b signing it), 

and nt rs th c rti cation in th p blic k databas . 

c) o s nd a m ssag , a s r q ri s th to obtain th p blic k of th 

r cipi nt, and ri s th signat r of th on th p blic k . 

d) h s r th n ncr pts th m ssag ith th r cipi nts p blic k and 

s nds th corr spending ciph rt t to th r cipi nt. 

) h r cipi nt d cr pts th ciph rt t ith his or h r o n pri at k . 

h folio ing is an to- co rabl to- rti abl KI: 

s t of s st m param t rs ar agr d pon. h scro a thoriti s g n - 

rat an scro ing p blic k ith corr spending pri at shar s. h p blic 
param t rs and ’s param t rs ar distrib t d ( .g., in soft ar ). 

a) ach s r g n rat sap blic/pri at k pair, and s bmits th p blic 

k along ith an I string and a c rti cat of r co rabilit , to a 

b) sing th scro ing p blic k , th ri s th c rti cat of r co- 

rabilit . ro id d that this ri cation holds, and that th I string 

is alid, th c rti s th p blic k (b signing it), and nt rs th 
c rti cation in th p blic k databas . 

c) o s nd a m ssag , a s r q ri s th to obtain th p blic k of th 

r cipi nt, and ri s th signat r of th on th p blic k . 

d) h s r th n ncr pts th m ssag ith th r cipi nts p blic k and 

s nds th corr spending ciph rt t to th r cipi nt. 

) h r cipi nt d cr pts th ciph rt t ith his or h r o n pri at k . 

2. If a ir -tap is a thori d for a gi n s r, th scro a thoriti s obtain th 

c rti cat of r co rabilit of that s r (from th ), and r co r th k 

or cl art t nd r th k . 

ot that (a) thro gh ( ) abo ar f nctionall q i al nt in both s st ms. 
h onl diff r nc is that in th scro s st m, th is abl to rif that 
th pri at k is r co rabl b th scro a thoriti s. h onl add d it ms 
in th a to r co rabl KI to hat is r q ir d for a KI ar s t- p tra ork 

in st p and st p 2. st p 2 is n c ssar b d nition and st p additional ork 

s ms n c ssar to bind th s st m to th scro a thoriti s. 

In an to- co rabl to- rti abl s st m, th z-th scro a thorit 

EAi kno s onl RECi, in addition to hat is p blicl kno n. op blish a 

p blic k , s r r ns () and r c i s {K ,K ,P). k ps KT pri at 
and s nds th pair {K ,P) to th . h th n comp t s {K ,P), and 
p blish s a sign d rsion of K in th databas of p blic k s iff th r s It 

is tr . th r is , ’s s bmission is ignor d. In ith r cas th c rti cat of 

r CO rabilit is not p blish d. ppos that ’s p blic k is acc pt d and K 
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app ars in th databas of th . i n P obtain d from th , th scro 
a thoriti s can r co r K as folio s. EAi comp t s shar i of K b r nning 

RECi{P). h a thoriti s th n pool th ir shar s and r co i K . 

t - c ra 1 t - rti a 1 r pt s st s 

5. s r ( ) 

at ati al r li i ari s t Z ^ d not th m Itiplicati gro p of ca- 
nonical 1 m nts r lati 1 prim to 2q { s d it to call th gro p and its 
1 m nts). Hr q is a larg odd prim . It is straightfor ard to sho that Z ^ 
is a c die gro p (it poss ss s a primiti root). In fact, if s is a primiti root 

mod lo q and if s is odd, th n s is also a primiti root mod lo 2q. If s is a 

primiti root mod lo q and s is n, th n s -|- g is a primiti root mod lo 
2q. [ o93] for d tails. It can b sho n that th r ists a g n rator s for all 

gro ps Z h s, th r is a probabilistic pol -tim algorithm to nd a g n rator 
of Z h folio ing rst t o simpl claims ar s d to sho that if discr t log 

probl m is hard, th n th discr t log probl m in Z ^ is hard. 

laim. (s^ mod 2q) mod q = mod q. 

laim. If (s^ mod 2q) = mod q, th n k = k. 

laim. If H mod q is hard, th n H mod 2q is hard. 

r f. ill pro this b pro ing th contrapositi . ppos ar gi n 

a bo that tak s A and B and r t rns mod 2q h r d = mod 2q 
and B = mod 2q. n d to sho that can s to p rform H gi n 
d = mod q and B = mod q. o do this, choos r , r ^ Z^_ s ch 
that d '■ and B ^ ar odd mod q, pro id d that s is odd (if s is n, mak 
s r th s t o al s ar n). th n comp t t = X{A'' modq^B'" modq). 

laim 2 it folio s that t = s°' ^ ^ mod q. th n o tp t ’’ ^ mod q. 

ot that r r has a niq in rs mod g— sine r ,r Z^_ . r algorithm 
th s o tp ts s“ ^ mod g as n d d. 

rom laim 3 it folio s that if th H probl m is hard, th n th discr t log 
probl m in Z g is hard. 

robl m : t p = 2q + and \ t q = 2r + hr p, q, and r ar prim . 

ind mod 2q gi n mod 2q and mod p. H r g, s, t, and p ar p blic. 

p g n rat s Zp, s g n rat s Z and t g n rat s a larg s bgro p of Z 

h difhe It of robl m is a cr ptographic ass mption in [YY9 ]. 1 arl , 
robl m is not hard if th discr t -log probl m is not hard, or if H is not 
hard. 

not that tadl r [ t96] has initiat d th s of th do bl -d ck r po- 

n ntiation in his p blicl - ri abl s cr t sharing ( ) ork prior to o r s 

of it. H also not s that his can b s d in th mod 1 of icali’s “ air 

r ptos st ms”. Ho r, this m ans that th application s ff rs from th si- 
milar probl ms of th original fair cr ptos st ms hich o r ork has att mpt d 
to o rcom . 
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st t p larg prim r is agr d pon s.t. q = 2r + is prim and s.t. 

p = 2q+ is prim . ha prod c d s ch larg al s fhci ntl . g n rator 

g is agr d pon s.t. g g n rat s Zp, and an odd al g is agr d pon s.t. g 

g n rat s Z h al s {p,q,r,g,g ) ar mad p blic. 

n ampl of organ! ing th scro a thoriti s is gi n; oth r s ttings 

of thr shold sch m s or n sch ms hr s rs d cid on hich a thoriti s 

to b ndl tog th r ar possibl . h r ar m a thoriti s. ach a thorit EAi 
choos s Zi R Z r- h ach comp t Yi = g mod 2q. h th n pool 
th ir shar s Yi and comp t th prod ct Y = Yi mod 2q. ot that Y = 
g ^ mod 2q, hr 2 ; = Zi mod 2r. h a thoriti s choos th ir o r 

again if {g /Y) mod 2q is not a g n rator of Z ach a thorit EAi k ps Zi 
pri at . h p blic k of th a thoriti s is (Y,g ,2q). h corr sponding shar d 
pri at k is z. 

K rati s s “do bl d ck r” pon ntiation and op rat s as 

folio s. It choos s a al k r Z ^ and comp t s C = g ^ mod 2q. 
th n sol s for th s r’s pri at k a; in = g ^ mod 2q. comp t s 

th p blic k y = g^ mod p. comp t s a portion of th c rti cat v to 

b g^ mod p. also comp t s thr IZK proof transcript P , P , P 

( hich ar g n rat d b th IZK proof s st ms ZKIP , ZKIP , and ZKIP , 
d scrib d b lo ). h c rti cat P is th 5-t pi {C,v,P ,P ,P ). las 
{{y,g,p),x,P) on th o tp t tap (not that y n d not b o tp t b th d ic 
sine y = v'^ mod p). h s r’s p blic k is (y,g,p). 

bli s r ri ati tak s {{y,g,p),P) on its inp t tap and 

o tp ts a bool an al . ri s th folio ing things: 

. P is alid, hich sho s that kno s fc in C 

2. P is alid, hich sho s that kno s k in v 

3. P is alid, hich sho s that kno s k in mod p 

4. ri s that y = mod p 

r t rns tr iff all 4 crit rion ar satis d. P is ss ntiall th sam as 
th proof d scrib d rst in [ HY 5] for isomorphic f nctions, b t th op rations 

hr ar in Z ZKIP , hich is th basis for P and P , ill b plain d in 

th folio ing s ction. 

In ZKIP ,Ai pro r ish s to int racti 1 pro to a ri r that th 

k 

pro r kno s fc in T = g® mod p. It is ass m d that th ri r do s not kno 
s* mod 2q (and h nc h do sn’t kno k). h al s T, g, s, and p ar p blic. 

h q antit g g n rat s Zp. h folio ing thr -pass protocol is r p at d n 
tim s. 

h pro r choos s e r Z r and s nds I = T‘‘ mod p to th 

2. h ri r s nds b r Z to th pro r. 

3. h pro r s nds z = e + bk mod 2r to th ri r. 

4. h ri r ri s that I = {T ~^g^Y mod p. 



ri r. 
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h ri r acc pts th proof iff st p 4 pass s in all n ro nds of th protocol. 
ZKIP is a thr -pass protocol that s s al s (I,b,z) hich ar r similar 

to th al s (I,b,z) hich ar s d in ZKIP . 

It r mains to sho ho th IZK proofs in P ar constr ct d. t Cij d not 

th pro r’s random choic for it ration j of proof H r i 3 and 

j n. 

■ P = {C,v) 

2. h pro r choos s al s e _ , e _ , e e ^ , e , , e _„,e ^ , e , , 

•••je ,n R Z r- ot that th e’s m st b in Z r, oth r is information 

abo t k ma b 1 ak d in st p ( ) . os this, not that e is n d d to blind 

kb p rf ctl . 

3. h pro r comp t s I j = g ^ mod 2q, I j = mod p, and / j = 

yia /y) mod p for j n 

4. h pro r incl d s all th al s lij in P, h r i 3 and j n. 

5. h pro r comp t s 

TTld — Pk , T ^ ^ ^ ^ , J d ^ J ...J I I ^ 

hr iJ is a cr ptographic on - a f notion. 

6. h pro r g ts th 3n al s bij for i 3 and j n from th 

3n 1 ast signi cant bits of rnd. h s ar th chall ng bits, ot that th 

ri r can calc lat th s bits gi n th al s for I. 

7. h pro r comp t s Zjj = Cij + bijk for i 3 and j n. 

h pro r incl d s th al s Zij in P, h r i 3 and j n. 

h ri r acc pts th proof iff all 3n ch cks pass and if y = mod p. his 
m thod of making a ZKI non-int racti is d to iat and hamir [ 6]. 

K r RECi r co rs shar i of th s r’s pri at k a; as folio s. 

RECi tak s C from P. It th n comp t s shar Si to b mod 2q, and o tp ts 

Si on its tap . h a thoriti s th n pool th ir shar s and ach comp t s = 

mod 2q. rom this th can ach comp t x = CY~^ mod 2q, hich is 
th s r’s pri at k . 

h scro a thoriti s can r co r th plaint t of s rs s sp ct d of criminal 
acti it itho t r co ring th s r’s pri at k its If. o d cr pt th ciph rt t 

(a, 6) of s r P th scro a thoriti s proc d as folio s: 

ach of th m scro a thoriti s i r c i s C corr sponding to U . 

2. scro a thorit comp t s s = mod p. 

3. scro a thorit i + comp t s = Si^ * mod p. 

4. scro a thorit m d cr pts (a, &) b comp ting b/{sm^) mod p. 

his s st m alio s for m Itipl ’s to b associat d ith th scro a t- 
horiti s. scro ing across scro a thoriti s domains ( .g., diff r nt co ntri s) 
can b sol d b th s rs mplo ing th long-li d iffi -H liman k as th ir 
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common k ( hich is r co rabl b ith r co ntr ) or b bilat ral agr m nts. 

or proofs of s c rit r f r th r ad r to [YY9 ]. 

ot that onl th s r’s p blic k is p blish d as in a r g lar p blic k 
s st m. In fact, it is insist d that th c rti cat of r co rabilit not b p blish d. 
his is to pr nt th stablishm nt of a shado p blic-k for ach s r. 

5. s r ( ) 

at ati al r li i ari s h s st m r q ir s th folio ing cr ptogra- 
phic ass mption. 

robl m 2: itho t kno ing th factori ation of n, nd a; hr x Z 

gi n X® mod 2tn and mod p. H r , p = 2tn + , n = qr, p, q, r, and larg 

prim s,t is a small prim , g g n rat s a larg s bgro p of Zp, and gcd(e, 4>(tn)) 

= . In this ork e = 3. 

It is also ass m d that it is hard to comp t th ntir plaint t if r d ctions 
ar p rform d mod lo 2tn, as oppos d to r d cing mod lo n as in . call 
that t is a small prim n mb r . 

Int iti 1 , it s ms that probl m 2 sho Id b hard, sine cc® mod 2tn is a 
pr s m d on - a trapdoor f notion of x, and g^ mod p is a pr s m d on - a 
f nction of x. 1 arl , robl m 2 is not hard if cracking is not hard, or if 
comp ting discr t logs is not hard. 

st t p h scro a thorit (a thoriti s) g n rat a shar d 1 m 

int g r n = qr, \i v q and r ar prim . h scro a thoriti s th n mak s r 

that gcd(3,</>(n)) = . If this condition do s not hold, th n th scro a thoriti s 

g n rat an n. h scro a thoriti s th n comp t p = 2tn + , h r t 

is dra n from th rst, sa 256 strong prim s starting from , incl si . If p 

is fo nd to b prim sing on of th s al s for t, th n th al s for n and 

p ha b n fo nd. If non of th al s for t ca s s p to b prim , this ntir 

proc ss is r p at d as man tim s as n c ssar . ot that t = 2t + hr 

t is prim . inc insist that t > 7, ar g arant d that gcd(3,^(tn)) = 
nc n and p ar fo nd, th scro a thoriti s g n rat th pri at shar s 
d ,d ,...,dm corr sponding to e = 3. al g r Z is chos n s ch that g 
has an ord r that is at 1 ast as larg as th small st of q and r, in th Id Zp 
(r call that th factori ation of n is not kno n) . h al s t, n, and g ar mad 
p blic. 

his s st m can b s t p m ch fast r than [YY9 ] sine th scro a thorit 
can g n rat a composit mod Is r q ickl , and in ord r to nd a prim p, t 
can b ari d as n d d. h p ct d tim to nd s ch a p is in rs 1 propor- 
tional to th d nsit of prim s. In contrast, in [YY9 ] th s st m s t p r li d 
on nding thr prim s ith a rigid r lationship b t n th m. H risticl this 
m ans that sampling s ch prim s ma tak an p ct d tim hich is in rs 1 
proportional to th d nsit of th prim s c b d. 

he ca be g e he a e 

a e fi e a 



a he e ca a a ch e a e h ch 
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K rati op rat s as folio s. It choos s a al x r ^ tn 

comp t s C = X mod 2tn. x is th s r’s 1 amal pri at k . th n 

comp t s y = mod p. h s r’s 1 amal p blic k is (y,g,p). ot that 

g ma not n c ssaril g n rat Zp, b t, can mak s r that it g n rat s a 
larg s bgro p of Zp. also comp t s a non-int racti ro-kno 1 dg proof 
bas d on C and y. h folio ing is ho this proof is constr ct d. 

. choos r ,r , ...,rN r Z 

2. comp t Ci = Ti mod 2tn for i N 

3. comp t Vi = y'"' mod p for i N 

4. b=H{{C ,v ),{C ,v {Cm, vn)) mod 2^ 

5. h = (2* AND b) > for i N 

6. Zi = ViX mod 2tn for i N 

Hr is th n mb r of it rations in th IZK proof ( .g., = 4 ). on- 

c rning st p , t chnicall th pro r has a chanc that on of th ill 

ha q or r in its factori ation, this is highl nlik 1 . ot that bi in st p 

5 r s Its from a bool an t st. bi is if h n tak th logical of 

2® and b g t a al gr at r than ro. It is oth r is . h proof P is 

{C,{C ,v ),{C ,v {Cn,vn),z ,z ,...,zn)- la s {{y,g,p),x,P) onth 

o tp t tap . 



bli s r ri ati 

o tp ts a bool an al . 

. C^'Ci = Zi mod 2tn for 
2. Vi = {y mod p for 



tak s {{y,g,p),P) on its inp t tap and 
ri s th folio ing things: 

i N 
i N 



r t rns tr both crit rion ar satis d. ot that sk ptical ri rs 
ma also ish to ch ck th param t rs s ppli d b th scro a thoriti s ( .g., 

that n is composit , p is prim , tc.). 



K r RECi r co rs shar f of th s r’s pri at k x as folio s. 

RECi tak s C from P. It th n r co rs shar st sing th pri at shar di. It 
o tp ts Si on its tap . h a thoriti s th n pool th ir shar s and x is comp t d. 



ri g lai t t ata h scro a thoriti s can r co r th plaint t 
of s rs s sp ct d of criminal acti it itho t r co ring th s r’s pri at k 
its If. In this s ction, it is ass m d that th m thod b ing s d is [ 97]. In 

this cas th pri at d cr ption pon nt is d = mod (j>{tn), and d is 

th in rs of 3 mod (j){tn). o d cr pt th 1 amal ciph rt t {a,b) of a s r 

U th scro a thoriti s proc d as folio s: 

ach of th m scro a thoriti s r c i s C corr sponding to U . 

2. scro a thorit comp t s s = mod p. 

3. scro a thorit i + comp t s = Si^ ' mod p. 

4. scro a thorit m d cr pts (a, h) b comp ting b/ (sm- ^ mod p. 

inc th scro a thoriti s do not r al th al s C^' , no on can r co r 

X. or proofs of s c rit r f r th r ad r to [YY99]. 
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6 pt - scr i rare 

h last sol tion can b combin d ith [YY9 ] to impl m nt a d pth-3 scro 
hi rarch . h folio ing is ho to r ali s eh a s st m. h scro a thoriti s 
g n rat a shar d composit n s eh that q = 2tn + is prim , and s eh that 

p = 2q + is prim .Hr t is a small prim of th form 2t + h r t is 

prim . h s, from th root of th tr to th childr n of th root, th scro 
s st m that is s d is th on that is d scrib d in this s ction. It is som hat 
mor diffic It to g n rat an appropriat prim 2tn + in this cas , sine 4tn + 3 
m st also b prim (so ha th sam in ffici nc as in [YY9 ]). ach child 
of th root (int rm diat nod ) th n g n rat s a (pot ntiall shar d) p blic k 
Y mod 2q . h s Y is an 1 amal p blic k in 1 amal mod 2q . 

h 1 a s corr sponding to (i. . nd r) ach of th s int rm diat childr n 

th n g n rat scro d k s bas d on th al s for Y sing th algorithm from 

[YY9 ]. h s, th [YY9 ] algorithm is s d b t n th int rm diat nod s and 

th s rs at th 1 a s. ot that in this cas th g n rator that is s d in Y 

ma onl g n rat a larg s bgro p of Z ^ . 

7 c t Ip ts 

hr ar an mb r of things that co Id impro on th s to- co rabl 
to- rti abl cr ptos st ms. or instanc , it is d sirabl to liminat th 
ass mption that robl m and robl m 2 ar hard. Iso, not that in both 
s st ms, th s r’s p blic k s ha sp cial alg braic form, as dictat d b th ir 
r lianc on th shar d p blic k of th scro a thoriti s. In a g n ric s st m 

on o Id lik to b abl to scro g n ric k s ( and r g lar 1- amal) . 

his gi s ris to th folio ing additional r q ir m nts. 

9. pi i g ri K s h s st ms s th traditional p blic k s: 

/factoring-bas d or 1 amal ariants. 

2 . patibl s r h onl chang for th s r is additional information 

s nt d ring k r gistration (or r r gistration). 

2 . as adi g a g s h s rs do not ha to chang th ir appli- 

cations hich mplo cr ptograph , not n ithin th KI applications 
(nam 1 th s th sam g n ral cr ptographic f notions, and th sam 
soft ar , all chang is som add d proc dr in r gistration). 

22. p rati srsadsr gts h scro a thoriti s ar 

manag d and constr ct d ind p nd ntl of th s rs (onl th ir p blic k (s) 
n d b kno n). 

23. Idp d t srK s h sr’sk is ind p nd nt of an third part 
k and is prod c d in m eh th sam a as in an n scro d KI. h 

s rs can k p th ir basic cr ptographic algorithms (k g n ration, ncr p- 
tion, tc.). 

24. Itipl s r t riti s s rs can r gist r for scro ith m Itipl 

scro a thoriti s. 
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25. ist s r / - s r s rs can nd r th sam ha 

n scro d k s and scro d on s (and can transf r n scro d k s to 
scro d on s). 

26. s r i rar m lti-1 1 s c rit s st m can b impl m nt d 

h r scro a thoriti s at ach 1 1 can acc ss all information b lo in 

th hi rarch , and non of th information abo . 

rt c i r 

In ork that is t to app ar, pr s nt an to- co rabl to- rti abl 
cr ptos t m ith 1 amal s r k s that do s not in ol an n cr ptogra- 

phic ass mptions (lik robl m or robl m 2 b ing hard). In fact, all that 

is ass m d is th ist nc of a s manticall s c r K (tho gh th random 

oracl mod 1 is still s d). H nc , th shar d p blic k of th scro a thorit 

can ha an alg braic form, so long as it is part of a s manticall s c r K 
h sol tion d CO pi s th alg braic conn ction bt nth srks and th 
shar d p blic k of th scro a thorit , and th s gi s ris to a compl tin 

f at r in to- co rabl to- rti abl cr ptos st ms. It nabl s “drop-in 

r plac m nt” of c rti dp blic k s. his r s Its from th fact that th p blic 

k of th s r can b g n rat d in actl th sam a as in an n scro d 

KI. h s, sho Id a s r n d cid to scro his or h r p blic k , h or sh 

can do so at an tim , n aft r th p blic k is mad p blic. h s r n d 

onl constr ct th c rti cat of r co rabilit at a lat r tim and s bmit it for 

ri cation b th . In f t r ork ill b pr s nting s ch a s st m hr 

th s r’s p blic k is an p blic k [YY-ms]. his d co pling of th alg - 
bra b hind th p blic k s also nabl s arbitrar d pth k scro hi rarchi s. 

h n s st ms ha th prop rti s sp ci d abo . 

f r c s 
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Abstract. Intrusion Detection in large network must rely on use of many dis- 
tributed agents instead to one large monolithic module. Agents should have 
some kind of artificial intelligence in order to cope successfully with different 
intrusion problems. In this paper, we suggested Bayesian alarm network to 
work as independent Network Intrusion Detection Agent. We have shown that 
when narrowed in detecting one specific type of the attack in large network, for 
example denial of service, virus, worm or privacy attack, we can induce much 
more prior knowledge into system regarding the attack. Different nodes of the 
network can develop their own model of Bayesian alarm network and agents 
could communicate between themselves and with common security data base. 
Networks should be organized hierarchically so on the higher level of hierar- 
chy, Bayesian alarm network, thanks to interconnections with lower level net- 
works and data, acts as a distributed Intrusion Detection System. 



1 Introduction 

Due to increased connectivity (especially on the Internet), and the vast of financial 
possibilities that are opening up in electronic trade, more and more computer net- 
works and hosts are subject to attack. One way to prevent subversion is by building a 
completely secure system. However this is not possible in practice. The vast installed 
base of systems world-wide, guarantees that any transition to a secure system and 
network, if ever attempted, would take long time in coming. 

It seems obvious that we cannot prevent subversion. Tools are therefore necessary 
to monitor systems, to detect attacks, and to respond actively to them. This is essen- 
tially what is expected from one Intrusion Detection System (IDS) to be able to do. 

An intrusion is defined [I] as any set of actions that attempt to compromise the in- 
tegrity, confidentiality, or availability of a resource. It is a violation of the security 
policy of the system. Any definition of an intrusion is, of necessity, imprecise, as 
security policy requirements do not always translate into a well defined set of actions. 
From the other side. Intrusion Detection is the methodology by which intrusions are 
detected. This methodology can be divided into two category of intrusion, misuse 
intrusion and anomaly intrusion that can be described as: 
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• Misuse intrusions are well defined attacks on known weak points of a system. 
They can be spotted by watching for certain actions being performed on certain 
objects. 

• Anomaly intrusions are based on observations of deviations from normal system 
usage patterns. They are detected by building up a profile of the system being 
monitored, and detecting significant deviations from this profile. 

As misuse intrusions follow well-defined patterns they can be detected by doing 
pattern matching on audit- trail information. However, anomaly intrusions are harder 
to detect. There are no fixed patterns that can be monitored for and so we need a sys- 
tem that combined human-like pattern matching capabilities with the vigilance of a 
computer program. Thus it would always be monitoring the system for potential intru- 
sions, but would be able to ignore spurious false intrusions if they resulted from le- 
gitimate user actions; so another goal is to minimize the probability of incorrect clas- 
sification. 

In large networks. Intrusion Detection Systems must relay on network wide infor- 
mation. Often, use of many distributed agents instead of one large monolithic IDS 
module will give better results. Agents should have some kind of artificial intelligence 
in order to cope successfully with different intrusion problems. As a future direction 
in developing IDS, it is believed that Bayesian network should be used. In a general 
case it is not clear how to do that, but we will show that when narrowed in detecting 
one specific type of the attack, for example denial of service, virus, worm or privacy 
attack, we can induce much more prior knowledge into the system regarding the at- 
tack. 

Before we present our solution, we will first describe three corresponding methods 
of network intrusion detection. 



2 Use of Genetic Programmin g in Intrusion Detection 

Many seemingly different problems in artificial intelligence, can be viewed as re- 
quiring discovery of a computer program that produces some desired output for par- 
ticular inputs. When viewed in this way, the process of solving these problems be- 
comes equivalent to searching a space of possible computer programs for a most fit 
individual computer program. 

This approach is chosen in [2] to building IDS. Instead of one large monolithic IDS 
module, here is used a finer-grained approach with a group of free-running processes 
which can act independently of each other and the system. They are called Autono- 
mous Agents. 

An agent is defined as [3] a system that tries to fulfill a set of goals in a complex, 
dynamic environment. In this context, every agent would try to detect anomalous 
intrusions in a computer system under continually changing conditions. In other 
words, the agent would be the IDS. If an IDS can be split up into multiple functional 
entities which can operate in their own right, each of them can be an agent. This gives 
multiple intrusion detection systems running simultaneously. The agents run in paral- 
lel in the system. Each agent is a lightweight program - it observes only one small 
aspect of the overall system. A single agent alone cannot form an effective intrusion 
detection system - its view of the overall system is too limited in scope. However, if 
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many agents all operate on a system, then a more complicated IDS can be built. 
Agents are independent of each other. They can be added to and removed from the 
system dynamically. 

The agent code is composed of a set of operators (arithmetic, logical and condi- 
tional) and a set of primitives that obtain the value of metrics. As is usual with Ge- 
netic Programming, these sets can be combined in any way during evaluation run to 
generate parse trees for solution programs. 




Fig. 1: Sample internal parse tree for an agent 



Figure 1 shows a sample parse tree for an agent. The Terminals in the parse tree 
(the primitives IP-DEST, MY-IP and RAISE) obtain their values from the system 
abstraction layer. In this simple example, the primitive IP-DEST would obtain the IP 
Destination address for the current packet from the abstraction layer. 

The advantages of using genetic programming looked trough the model of 
Autonomous agent are efficiency, fault tolerance, resilience to degradation, extensi- 
bility and scalability. Having many small agents has a number of advantages against a 
single monolithic IDS. Clear analogy can be drawn between the human immune sys- 
tem and this proposal. The immune system consists of many white blood cells dis- 
persed throughout the body. They must attack anything which they consider to be 
alien before it poses a threat to the body. 

The foreseen drawbacks include the overhead both on hosts and network because 
of so many processes, long training times, and the fact that if the system is subverted, 
it becomes a security liability. An interesting possibility they open up is that of an 
active defense, that can respond to intrusions actively instead of passively reporting 
them (it could kill suspicious connections, for example). Developing good training 
scenarios is an important issue with this model and that should be area for future 
investigation. 
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3 Graph Based Intrusion Detection 

This approach in Intrusion Detection will he described on the model developed by 
group of authors in University of California, Davis [4], Their work was inspired by 
Internet Worm Attack (1988), which caused the Internet to be unavailable for about 
five days [5]. They designed GrIDS - Graph-based Intrusion Detection System in 
order to develop secure infrastructure capable to defend Internet and other large net- 
works. Its primary function is to detect and analyze large-scale attacks, although it 
also has the capability of detecting intrusions on individual hosts. 

The nature of operation of the GrIDS system will be presented on a simple exam- 
ple of tracking warm and building such an activity graph. 

In Figure 2 the worm begins on host A, then initiates connections to hosts B and C 
which causes them to be infected. The two connections are reported to GrIDS, which 
creates a new graph representing this activity and records when it occurred. The two 
connections are placed in the same graph because they are assumed to be related. In 
this case, this is because they overlap in the network topology and occur closely to- 
gether in time. 





Fig. 2: The beginning of a worm graph, and the graph after the worm has spread 

If enough time passes without further activity from hosts A, B, or C, then the graph 
will be discarded. However, if the worm spreads quickly to hosts D and E, as in the 
figure, then this new activity is added to the graph and the graph’s time stamp is up- 
dated. 

Graph-based Intrusion Detection is a helpful step toward defending against wide- 
spread attack in the networks. It presents network activities to humans as highly com- 
prehensible graphs. In addition, policy mechanisms allow organizations much greater 
control over the use of their networks than is possible, for example, with firewalls 
alone. 

GrIDS, implementation of the graph-based Intrusion Detection, is designed to de- 
tect large-scale attacks or violations of an explicit policy. However, a widespread 
attack that progresses slowly will not be diagnosed by its aggregation mechanism. 
Also additional safeguards must be taken to ensure the integrity of communications 
between GrIDS modules, and to prevent an attacker from replacing parts of GrIDS 
with malicious software of her own. 
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4 Cooperative Intrusion Detection for Detecting Denial of 
Network Service 

Denial of service for the routing infrastructures, (routers and routing protocols), may 
be caused by natural faults as well as by malicious attacks. To protect network infra- 
structures from routers that incorrectly drop packets and misroute packets, Cheung 
and Levitt [7] used a detection - response approach. They presented protocols that 
detect and respond to those misbehaving routers. 

Protocols are supposed to detect and respond to two types of denial of service, 
“black hole” routers and routers that misroute packets. 

One of the proposed protocols, distributed probing is applicable to detecting net- 
work sinks and misrouting routers that cause denial of service - that is, the misrouted 
packets cannot reach their destinations. With distributed probing, a router can diag- 
nose its neighboring routers by sending them directly (i.e., without passing through 
intermediate routers) a test packet whose destination router is the tester itself. Based 
on whether a tester can get back the test packet within a certain time interval, the 
tester can deduce the goodness of the tested router. 

Network is modeled by a directed graph G = (V;E) where vertices denote routers 
and edges denote communication channels. An edge (i; j) e E is called testable if 
cost(j; i) is strictly less than the cost of any other path from j to i in G, where the cost 
of a path is the sum of the costs of all edges on the path. In Figure 3 we have a net- 
work example that has three routers, namely a, b, and c. and three edges (b,c), (b,a), 
and (c,b). If (c,b) is testable and router c sends a packet p whose destination is c itself 
to b, then, in distributing probing protocol, p will return to c if and only if b does not 
misbehave on p. 




This model of cooperative work for detecting denial of service, unfortunately, does 
not solve the entire denial of service problem of routing infrastructures. There are 
router failures not covered by this failure models. For example, a compromised router 
may modify the body of a transit packet. Also, link failures are not modeled, so a link 
failure that results in packet loss may be viewed as a node failure. Finally, these mod- 
els only consider transit traffic. In other words, packets sent by source hosts to source 
routers and those sent by destination routers to destination hosts are not addressed. 
However, this model represent a first step in protecting routing infrastructures from 
denial of service using an intrusion detection approach. 
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5 Our Proposal: A Bayesian Alarm Network as Independent 
Intrusion Detection Agent 

Bayesian approach to probability and statistics differs from the classical probability. 
Whereas a classical probability is a physical property of the world (e.g., the probabil- 
ity that a coin will land heads), a Bayesian probability is a person’s degree of belief in 
that event. 

Important difference between physical probability and personal probability is that, 
to measure the latter, we do not need repeated trials. While classical statistician has a 
hard time measuring that the cube will lend with a particular face up, the Bayesian 
simply restrict his attention to the next toss, and assigns a probability. 

For some events it is not possible to measure the probability and that is why Baye- 
sian classification represents interesting tool in intrusion detection. This technique of 
unsupervised classification of data, and its implementation. Autoclass [8] searches for 
classes in the given data using Bayesian statistical techniques. It attempts to determine 
the most likely process(es) that generated the data. It does not partition the given data 
into classes but defines a probabilistic membership function of each datum in the most 
likely determined classes. 

Bayes’ rule does not provide an algorithm for classification. The designers of a 
Bayesian classifier are faced with the computationally intractable problem of search- 
ing the hypothesis space for the optimal distribution that produced the observed data 
and the controversial problem of estimating the priors. 

In the case where we are faced with large number of variables and relationships 
among them Bayesian network is a representation suited to solve the problem. It is a 
graphical model (directed acyclic graph-DAG), that can efficiently encode the joint 
probability distribution (physical or Bayesian) for a larger set of variables. 

The idea to use Bayesian or other belief networks in Intrusion Detection Systems 
has come from the necessity to combine different anomaly measures in detecting 
intrusions. Bayesian networks [10] allow the representation of causal dependencies 
between random variables in graphical form and permit the calculation of the joint 
probability distribution of the random variables by specifying only a small set of 
probabilities, relating only to neighboring nodes. This set consists of the prior prob- 
abilities of all the root nodes (nodes without parents) and the conditional probabilities 
of all the non root nodes given all possible combinations of their direct predecessors. 

Bayesian networks, which are DAGs with arcs representing causal dependence 
between the parent and the child, permit absorption of evidence when the values of 
some random variables become known, and provide a computational framework for 
determining the conditional values of the remaining random variables, given the evi- 
dence. Figure 4 gives a trivial Bayesian network modeling intrusive activity. 

Each box represents a binary random variable with values representing either its 
normal or abnormal condition. If we can observe the values of some of these vari- 
ables, we can use Bayesian network calculus to determine P(Intrusion|Evidence). 

However, to determine the a priori probability values of the root nodes and the link 
matrices for each directed arc for a general case, where many different intrusion are 
possible, we must incorporate a substantial amount of knowledge concerning the 
different types of attacks that can be used to compromise system security, as well as 
the conditional probabilities that various well-defined events will occur given that 
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Fig. 4: Bayesian alarm network - general case 



those attacks are in progress. Unfortunately, Intrusion-detection community is at the 
moment only at first stage of trying to assemble this type of knowledge. 

Our proposal is, because of complicity to find general solution, not to use Bayesian 
alarm network as universal, standalone Intrusion Detection System. Instead, it could 
be used as independent Intrusion Detection Agent for detecting one, specific type of 
network attack. This way we need to induce into the system prior knowledge only 
regarding that type of the attack. At the same time some other nodes of large network 
can develop its own model of alarm network for detecting same kind of the attack, 
entering freely local believes in data sensitivity, and expectation of the attack. These 
agents should be able to communicate between themselves on broadcast or search 
principle, as required. 

Beside being able to communicate between themselves, this approach require for 
agents to communicate with a common data base-Bayesian Management Information 
Base (BMIB), which contains information regarding the attacks in progress. However, 
different site will normally select different vendors and, since network incidents are 
often distributed over multiple sites, it is likely that a single incident will be visible in 
different way. 

Clearly, it would be necessary for these diverse intrusion detection systems to be 
able to share data. Solution to that problem could result from the work of a new Intru- 
sion Detection working group established in the Security Area of the IETF to define 
data formats and exchange procedures for sharing information of interest to intrusion 
detection and response systems and the management systems which have to interact 
with them. 

However, for our model, not only data format in BMIBs and exchange procedure 
must be standardized, but also notation of the network attacks, like P-for privacy, V- 
for virus , W-for worm, D-for denial of service etc. 
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For the definition of the architectural model that could be used in the implementa- 
tion of the security management system, hierarchical organization of the networks and 
BMIBs is suggested [12]. The lower level of the hierarchy should include a small 
number of interconnected physical networks. Network of the upper level will inter- 
connect the lower levels networks and BMIB will contain relevant information re- 
garding attacks in wider area. 

Due to sophisticate nature of network attacks the security management cannot rely 
only on the real-time monitoring of security measures. The network manager needs 
also to store in a database and analyze historical security information in order to de- 
tect an attack as a symptom of past correlated events and to discover the attacker. 

As an illustration of solving the specific problem of detecting privacy attack to 
sensitive medical records, in Figure 5 is given a simplified structure of a correspond- 
ing Bayesian alarm network. One possible choice of variables for this problem was 
Intrusion (I), Aids (A), External (E), Medical (M), Nonmedical (N), Outsider (O), 
where I represent that current access to sensitive records is intrusion to privacy, A - 
access to records with diagnose of aids and E access to external sensitive records 
(other ward or hospital). Variables M, N and O denote that access is performed by 
medical staff, nonmedical staff, or outsider. 




Fig. 5: One specific attack (privacy intrusion) - simpler Bayesian alarm network 

In this example, using ordering (I,M,N,0,E,A) we have the following conditional 
independencies: 

p{m\i) = p{m) , 
p{n\i, m) = p{n) , 
p{o\i, m, n) = p(o) , 
p{e\i,m,n,o) = p{e\i) , 
p{a\i,m,n,o,e) = p{a\i,m,n,o) . 



(1) 
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As seen, we consider that accesses to sensitive records at different places are con- 
ditionally independent. Also, accesses by medical staff, nonmedical or outsider are 
mutually conditionally independent. Our judgments about conditional independence 
between various variables, guide us to the network structure where it is possible easier 
to compute the probability of interest (probability of intrusion): 



p(im,n,o,e,a) 



p{i,m,n,o,e,a) _ p(i,m,n,o,e,a) 
p(m,n,o,e,a) p{i',m,n,o,e,a) 



( 2 ) 



Given the conditional independencies in Equation (1), we can make this computa- 
tion more efficient: 



p{i m,n,o,e,a) 
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( 3 ) 



i.e.: 



p{i m, n,o, e,a) 
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i') p(a 


i' , m, n,o) 



( 4 ) 



From the presented example it is also possible to conclude that requirement for the 
prior knowledge regarding the attack is not drawback in the case of Bayesian network 
developed to detect one specific kind of intrusion. As we are here concentrated to one 
type or a small subset of intrusions, it is expected that we should have more knowl- 
edge regarding the matter. At the same time thanks to interconnections with other 
alarm networks at the same level of hierarchy and corresponding BMIB we should be 
able to collect more knowledge and data regarding the same type of the attack. (Con- 
nection to other alarm networks is here symbolically denoted with variable E - access 
to external sensitive records in other ward or hospital). 

At higher level of hierarchy, based to its interconnections with lower level net- 
works and data from Bayesian Management Information Base, Bayesian alarm net- 
work will be able to monitor network attacks in wider area, and can act as Distributed 
Intrusion Detection System. Using recorded data from BMlBs such a distributed In- 
trusion Detection System, with assembled knowledge from different Bayesian alarm 
networks, could have integrated, human and computer program intrusion detection 
capability. 



6 Discussion 

It is shown that our model will provide Bayesian alarm network to work as independ- 
ent Intrusion Detection System, and, at the same time, to be part of a larger distributed 
IDS. 

In opposed to others agents based Intrusion Detection, our agent do not have lim- 
ited capability but can work as standalone IDS. Different sites, with different vendors 
selected, can develop independently its own model of alarm network for detecting 
same kind of the attack, but agents will be able to communicate between themselves 
thanks to standard data format, exchange procedure and notation of the attacks. 
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Beside standardization in messaging, in our approach is as well important intro- 
duction of Bayesian Management Information Base (BMIB) concept. BMIB will store 
information regarding the attack in progress and also historical security information. 
Based on hierarchical organization of networks, it is possible to develop distributed 
Intrusion Detection System that will use information from BMIBs and communicate 
with lower lever networks. 

With Bayesian alarm network in conjunction with Bayesian statistical techniques, 
we can easy overcome problem of missing data and facilitate the combination of prior 
knowledge and data especially in the case, (what is usual with Intrusion Detection), 
when no experiments are available. Finally with Bayesian alarm network we have no 
problem with different type of data as different type of attributes may be freely mixed. 

Bayesian alarm network in described framework can be used not only to detect in- 
trusion but to play active role in protecting networks as well. Due to nature of Baye- 
sian probability it could be able to prevent on going attack even if we have not evi- 
denced that kind of attack before. 
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Abstract. S/MIME is based upon the popular MIME standard, and describes a 
protocol for adding cryptographic security services through MIME 
encapsulation of digitally signed and encrypted objects. The S/MIME version 2 
specification was designed to promote interoperable secure electronic mail. 
However, because the specification allows multiple interpretations and 
implementations, and is sometimes silent about key aspects that affect 
interoperability, a number of “S/MIME Enabled” products are available on the 
market that are incapable of fully interacting with one another. In this paper, we 
present a set of characteristics that affect the interoperability profile for a given 
S/MIME application, and illustrate how they may be used to achieve a higher 
level of interoperability within the family of S/MIME compliant products. We 
also analyze the S/MIME version 3 specification to determine what subset of 
the identified interoperability characteristics still remain to be adequately 
addressed. 



1 Introduction 

S/MIME (Secure / Multipurpose Internet Mail Extensions) is a specification for 
securing electronic mail. S/MIME is based upon the popular MIME standard, and 
describes a protocol for adding cryptographic security services through MIME 
encapsulation of digitally signed and encrypted objects. The exact security services 
offered by S/MIME are authentication, non-repudiation, message integrity, and 
message privacy. 

The S/MIME Version 2 specifications were designed to promote interoperable 
secure electronic mail, such that two compliant implementations would he able to 
communicate securely with one another [6, 7]. However, because the specification 
allows multiple interpretations and implementations, and is sometimes silent about 
key aspects that affect interoperability, what has resulted is the availability of multiple 
S/MIME compliant commercial products that are not capable of fully interoperating 
with one another with respect to secure messaging. 

Recently, the S/MIME Version 3 specifications were passed by the lESG (Internet 
Engineering Steering Group) and are in the process of being published as RFC 
(Request For Comment) standards by the IETF (Internet Engineering Task Force) [8, 
9]. However, this paper describes the findings of a set of interoperability 
experiments that were conducted using commercial-off-the-shelf (COTS) 
S/MIME version 2 products from different vendors. The experiments were 
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designed to test the interoperability between peer S/MIME applications, between 
S/MIME applications and Certification Authority products, and between S/MIME 
applications and Directories. Other groups have also conducted tests on S/MIME 
applications and have published results [10]. 

All of the S/MIME implementations tested have been awarded the “S/MIME 
Enabled” seal based upon compliance tests conducted by RSA Labs. [Appendix A 
lists the actual products that were used in the tests.] Yet, there were a significant 
number of scenarios, where interoperability between the implementations was either 
limited or unachievable. Erom the test results, we concluded that there are a number 
of characteristics or properties that affect the interoperability of a given S/MIME 
application with other S/MIME applications, Certification Authority products and 
Directory products. These characteristics are neither part of the S/MIME version 2 
specifications, nor do they appear in the S/MIME compliance testing methodology 
adopted by RSA. The recently approved S/MIME version 3 standard addresses some, 
but not all of the characteristics described in this paper. 

In this paper, we discuss these characteristics and illustrate how they affect the 
interoperability profile for a given S/MIME application. Interoperability is a prime 
concern of users of S/MIME implementations. Awareness of these characteristics may 
help to fine tune the S/MIME specifications to support a greater level of 
interoperability. They may also help the developers of S/MIME applications to make 
design decisions that would further the cause of interoperability. Additionally, these 
characteristics may help individuals who are procuring S/MIME applications to 
differentiate between the available implementations and select the one that most 
closely meets their interoperability needs. Finally, although these characteristics were 
derived from tests conducted upon S/MIME implementations, they may be applied to 
any end-user security application that requires a public key infrastructure. 

The rest of this paper is organized as follows. Section 2 describes the necessary 
background including the evolution and current status of the S/MIME specification. 
Section 3 describes a categorized set of characteristics that impact the ability of an 
S/MIME implementation to interoperate with other implementations. Section 4 
discusses how the findings in this paper can be used to attain a higher level of 
awareness about the potential bottlenecks to interoperability. Section 5 analyzes the 
S/MIME version 3 specifications to identify the S/MIME interoperability 
characteristics that have been adequately addressed, and the ones that still need more 
attention at the specification level. Finally, our conclusions are presented in Section 6. 



2 Background 

2.1 Evolution of the S/MIME Standard 

The Multipurpose Internet Mail Extension (MIME) was also developed by the IETF, 
and was designed to support non-textual data (such as graphics data or video data) as 
the content of an Internet message [4,5]. Additional structure was imposed on the 
MIME message body to provide an encryption and digital signature service as part of 
the S/MIME specification. 
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2.2 S/MIME Version 2 

The S/MIME specification uses data structures that conform to Public Key 
Cryptographic Standard (PKCS) #7 [1]. PKCS #7 is a cryptographic message syntax 
that is designed to specify the content and form of the information that is required in 
order to provide an encryption and digital signature service. 

S/MIME implementations support several different symmetric content encryption 
algorithms. The RC2 algorithm with a key size of 40 bits is supported, even though it 
provides weak encryption, in order to comply with U.S. export regulations. In 
addition, in most S/MIME implementations, the user can choose DES, Triple DES or 
RC2 with a key size greater than 40 as the content encryption algorithm. The user can 
normally select either SHA-1 or MD5 as the message digest algorithm; the receiver’s 
application must be able to process both algorithms. The sender’s system must use the 
RSA public key algorithm with a key size ranging from 512 to 1024 bits to sign a 
message digest or to encrypt the content encrypting key 

A Certification Authority (CA) issues certificates that bind the identity of a public 
key to a user. This binding is only as strong as the out-of-band verification that the 
CA performs before issuing the certificate. Since many CAs can issue certificates, 
there must be a method of establishing trust among CAs so that each user can trust the 
information in a certificate issued by a CA other than his own. After the public 
certificate is issued, there must be a method by which the certificate is made available 
to other users. The certificate must be in a standard format so that the information in 
the certificate can be processed by applications built by different vendors. 

Deployment of S/MIME secure e-mail implementations requires a supporting 
Public Key Infrastructure (PKI) to provide solutions for the issues listed above. In 
some cases, standards have already been developed and implemented to provide this 
infrastructure. There is agreement that the certificate format will conform to Version 3 
of the International Telecommunications Union (ITU) x.509 Recommendations. 
There is agreement that the Lightweight Directory Access Protocol (LDAP) is the 
protocol that will be used to access the directories that function as certificate 
repositories. PKCS#10 specifies the format for a request for a CA to issue a certificate 
[ 2 ]. 



2.3 S/MIME Version 3 

The S/MIME Version 3 specification [8, 9] is based on the usage of data structures 
from the Cryptographic Message Syntax (CMS) published as an RFC [11] by the 
IETF. CMS is derived from PKCS#7 version 1.5. The changes were designed to 
accommodate key agreement techniques for key management and the support of 
attribute certificates. 

Version 3 products are mandated to support the use of DSA (Digital Signature 
Algorithm) for signatures, and DH (Diffie-Hellman) for key establishment. The use of 
RSA for signature and key exchange is not mandated, but is specified as desirable. 
The symmetric encryption algorithm that must be supported by all Version 3 
implementations is Triple DES (DES EDE3 CBC). 40 bit RC2 is supported as a non- 
mandatory algorithm to allow backward compatibility with Version 2 
implementations. 
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Version 3 specifies a number of attributes that may be sent within the CMS 
message as either signed or unsigned attributes. Receiving agents must be able to 
process these attributes. The signed attributes that may be included in a Version 3 
message are, signing time, S/MIME capabilities, S/MIME encryption key preference, 
and signing certificate. It may be noted that the Version 3 specification implicitly 
supports the usage of separate key pairs (and hence certificates) for signature and key 
exchange. 

The S/MIME capabilities signed attribute allows the sender to specify their 
algorithmic preferences in the order of preference. This allows a peer to select the 
algorithms that are appropriate. Both opaque as well as multipart formats are 
supported for signed messages in Version 3, but neither one is specified as being 
mandatory for sending or receiving agents. The support for messages that carry only 
certificates to the peer is supported in Version 3, thus allowing in-band certificate 
distribution. 

Certificates and certificate revocation lists used within Version 3 implementations 
must be compliant with [1]. Receiving agents must validate peer certificates 
(including revocation checking) for all messages. Version 3 also supports the use of 
X.509 attribute certificates. Receiving agents must be able to handle messages that 
contain no certificates using a database or directory lookup scheme. 



2.4 S/MIME Compliance Tests from RSA 

S/MIME products are being developed to interoperate with the products of different 
vendors. When they purchase an S/MIME product, users want to know that they can 
exchange signed and encrypted messages with any other S/MIME user. RSA Data 
Security has set up an S/MIME Interoperability Center that allows vendors to perform 
interoperability testing on their products and to have the results published. 

The RSA Interoperability Test Center was established in 1997. Participating 
vendors test against WorldTalk’s WorldSecure Client which is the designated 
reference implementation. All vendors participating in the testing use Verisign’s Class 
1 public key certificates. The vendor first sends a signed message containing a public 
key certificate to the reference implementation and receives two signed and encrypted 
messages in return. One message uses RC2 as the content encryption algorithm; the 
second message uses Triple-DES for content encryption. Both messages contain a 
secret phrase. The vendor decrypts the messages, extracts the secret phrases and 
includes them in the messages sent back to the reference implementation, using the 
same content encryption algorithm. If the reference implementation can recover the 
secret phrases, the successful test results will be posted on the S/MIME 
Interoperability Test Center Web Page (www.rsa.com/smime). As of lanuary 1999, 
more than 20 different S/MIME products have been successfully tested. [Appendix B 
lists the products that have been awarded the S/MIME compliance seal by RSA 
Labs.] 

The testing, while providing useful information is limited in scope. It doesn’t test 
the ability of an S/MIME implementation to interact with a certificate repository in 
order to publish or obtain a public key certificate. It doesn’t test the ability to process 
certificates issued by different Certification Authorities or the ability to process 
Certification Revocation Lists. It also doesn’t follow that, because the 
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implementations test successfully with the reference implementation, they will 
successfully test with each other. 



3 Interoperability Characteristics 

This section describes characteristics and properties that are pertinent to the ability of 
an S/MIME implementation to interoperate with peer implementations, Certificate 
Authorities, and Repositories. The properties are categorized into sets that affect a 
particular area of operation of a specific implementation. 



3.1 Certificate Handling 

This section describes characteristics related to the management and use of 
certificates within an S/MIME implementation. 



Managing Certificates for Local User. The local user is the human entity that 
controls an S/MIME application to send and receive secure email with its peer 
entities. 



Distinct Signing and Encryption Certificates for Local User. The S/MIME Version 2 
specification calls for the use of a single certificate for signing outgoing email as well 
as receiving incoming encrypted email. Most currently available S/MIME 
implementations support a single certificate for the local user running the S/MIME 
application. S/MIME Version 3, however, supports the use of separate certificates for 
signatures and encryption, and a small set of S/MIME implementations implement 
this two-certificate scheme [8, 9]. 

An S/MIME application that only supports a single certificate for encryption and 
signatures may be unable to communicate securely with a peer that supports a dual 
certificate scheme. For example, a typical S/MIME implementation will try to use the 
certificate used to validate a signed message from a peer to send encrypted message to 
that peer entity. However, if the peer happens to be a dual-certificate-based 
implementation, it will reject the incoming encrypted message since it will not be able 
to use its own encryption certificate to decrypt the message. Thus, single certificate 
implementations provide the greatest level of interoperability in the current S/MIME 
version 2 space of products. If dual-certificate implementations are used, it is 
recommended that users identify the same certificate as the signature as well as the 
encryption certificate. 



Self-Signed Certificate Support for Local User. The use of the security features of 
S/MIME within a group of peer entities is predicated upon the availability of a PKI 
that allows an entity within the group to establish trust in the public key certificates of 
every other entity within the group. However, the deployment of large-scale public 
key infrastructures has been neither easy nor widespread. In the absence of a PKI, 
certain trust models allow a small group of peers to trust one another implicitly. This 
is typically achieved by exchanging certificates via some secure means and trusting 
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peer certificates implicitly, as opposed to trusting them via certificate path validation 
to a trusted anchor or root certificate. 

A subset of the S/MIME implementations that are currently available support the 
use of an implicit trust model using self-signed certificates. Self-signed certificates 
accompanying incoming signed messages from peers can be implicitly trusted and 
used to send encrypted messages to the peer entity. Other S/MIME implementations 
do not allow the use of self-signed certificates either for the local user or their peers. 
To allow rapid deployment of S/MIME in an environment where PKI path-based trust 
cannot be established, it is preferable to use S/MIME implementations that support an 
implicit trust model. 



Single / Multiple Certificates for Local user. Some S/MIME applications have the 
capability to support multiple certificates for the local user. This allows the local user 
to belong to multiple PKI hierarchies simultaneously, selecting the certificate to use 
when interacting with a particular peer. For example, user A belong to infrastructures 
X and Y and has certificates and from infrastructures X and Y respectively. 
Entity B belongs to infrastructure X and can only validate certificates in X; entity C 
belongs to infrastructure Y and can only validate certificates within Y. When 
interacting with B, A selects certificate K,,. Likewise, A selects certificate K^, when 
interacting with C. Support for multiple certificates for the local user is thus a very 
desirable attribute in an S/MIME application. 



Ability to Import PKCS #12 Credentials for Local user. PKCS (Public Key 
Cryptography Standards) #12 is a de-facto standard from RSA Laboratories for 
securely packaging credentials (public and private key pairs) for transport or storage 
[3]. Many S/MIME applications have built-in or companion modules that generate 
key pairs, and are able to dispatch certificate requests to Certification Authorities 
using the newly generated public key. In such cases, the ability to import PKCS#12 
objects is not necessary. However, there are two situations where it becomes 
important for an S/MIME application to import PKCS#12 objects. In the first 
situation, a Certification Authority may perform key pair generation for every 
certificate issued by it; a PKCS#12 object is then sent back to the S/MIME user for 
import into the S/MIME application. In the second case, a key pair and certificate 
may be held within an external module (such as a browser,) and the user may be 
interested in importing the same set of credentials for use within the S/MIME 
application. 

The ability of an S/MIME implementation to import and use PKCS#12 objects thus 
affects its interoperability with CAs and the ability to share digital credentials with 
other PKI-based applications. 

Managing Peer Certificates. 



Self-Signed Peer Certificate Support. The ability to support an implicit trust model 
using self-signed certificates from peers allows an S/MIME application to be fit for 
quick deployment in communities where a pervasive PKI is either lacking. 
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Acquiring Certificates for Peers. Peer certificates are acquired by S/MIME 
applications in any of the following three ways: 

• Extracting certificates from incoming signed messages from peers 

• Loading certificates from *.p7c files 

• Lookup of peer certificates from a LDAP Repository 

The lack of support for one or more of the above may hinder an S/MIME application 
from obtaining certificates for peer users, and therefore, from being able to 
communicate securely with them. Eor example, if an S/MIME client application only 
has the capability to extract certificates from signed messages, then it cannot interact 
with a peer S/MIME application that does not send certificates along with a signed 
message. 

Support for Selective Trust of Peer Certificates. Occasionally, peer certificates that 
are acquired (through any of the mechanisms discussed in the last section) cannot be 
validated using any of the known trusted root keys embedded within the S/MIME 
application. In such cases, it is very useful if the S/MIME application provides the 
local user the ability to selectively trust peer certificates that have been acquired. 
Once the local user designates the peer certificate as trusted, secure, encrypted email 
can be sent to that peer. 

Managing Root Certificates. Most S/MIME implementation comes preloaded with a 
set of root certificates, all or a subset of which may be designated as trusted. These 
trusted root certificates are used to validate the certificates of peers. This section 
describes some attributes that affect the management of root certificates. 

Acquiring Certificates for Roots. Root certificates may be acquired via the same three 
ways (as mentioned in the last subsection) used to acquire peer certificates. Support 
for various means of acquiring root certificates for use within an S/MIME application 
allows it to use additional roots to establish trust in peer certificates. Conversely, lack 
of support for one or more of these ways, may disallow import of a particular root 
certificate, and prevent interoperability with a peer that is certified by that root 
authority. 

Selectively Trusting Root Certificates. Having acquired or imported additional root 
certificates into an S/MIME application, it is very useful to have the ability to 
selectively trust one or all of the newly imported root certificates. Thus, if the local 
user is given the opportunity to designate newly imported roots as trusted, it may 
allow the local user to establish trust in all certificates issued by these additional 
trusted roots. Conversely, if additional trusted roots cannot be established within an 
S/MIME application, it may be impossible to communicate with a large set of 
potential peers. 



3.2 Interaction with Certificate Authorities 

S/MIME users need to obtain certificates signed by Certification Authorities (CA) to 
communicate securely with peers. The only exception is when self-signed certificates 
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are used within a small well-known community to establish implicit trust in peers. 
Most S/MIME applications have associated modules or software tools that allow the 
generation of a key pair on behalf of the local user, and the construction and dispatch 
of a certification request to a CA. The certificate request message is based upon the 
PKCS#10 format as specified in the S/MIME Version 2 specification. 

Support for Multiple Mechanisms for Requesting Certificates from CAs. 

Certification Authorities or their delegates support one or more of the following 
transport mechanisms for incoming certification requests, and distribution of issued 
certificates: 

• Web: The User’s Web Browser connects to the CA’s website to dispatch 
certification requests, or to collect an issued certificate. 

• Email: The User sends an email to the CA’s email address with the certification 
request. The CA may send an email back to the User with a reference to the 
location where the issued certificate may be picked up. 

• In-Person/Floppy/Smart Card: The User places the certification request on a 
floppy or similar physical medium and transports it to the CA or its delegate. The 
CA or its delegate may return the issued certificate on a floppy or other medium 
(such as a smart card) for import and use by the User’s application. 

S/MIME applications that support all of the above mechanisms for interaction with a 
CA are able to request and receive certificates from the majority of CA products. 



3.3 Interaction with Repositories 

Certificate distribution in a small community may be achieved by users exchanging 
certificates with one another. However, the S/MIME Version 2 specification calls for 
the use of LDAP (Lightweight Directory Access Protocol) to interface with 
directories/repositories to obtain certificates and revocation information for users. 



Publishing local user certificate. Typically, the CA that issues a certificate is 
responsible for publishing it in a repository. However, some S/MIME 
implementations also have the ability to publish the local user’s certificate in a chosen 
directory. This feature is very useful in a domain where peers obtain each other’s 
certificate from an organizational directory. Publication in the directory makes the 
user’s certificate readily available to a large community of peers, and thus promotes 
interoperability. 



Peer Certificate Lookup. When an S/MIME application supports the lookup of 
LDAP-based Directories for peer certificates, it gives the local user access to a large 
set of potential peer certificates, and the ability to interact with these peers. 

3.4 Signing Outgoing Messages 



This section describes various issues involved during signing of messages that may 
determine its level of interoperability. 
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Support for Opaque/Clear Signed Message Formats. S/MIME Version 2 provides 
for two data signing formats. In the “clear” or multipart format, the signature is 
separated from the signed data and is sent as an attachment. There is both an 
advantage and a disadvantage in using this signing format. The advantage is that the 
recipient can always read the message even if the recipient’s e-mail application is not 
an S/MIME client and the signature cannot be verified. The disadvantage is that the 
message may undergo some format conversion as it transits a mail gateway that is not 
S/MIME- aware. This will cause the receiving S/MIME application to invalidate the 
signature. 

This can be corrected by binding the signature with the message in a single binary 
file. The resulting format is labeled the “opaque” format. No conversion will be 
performed by a mail gateway on the binary file and the message can be verified by an 
S/MIME application that serves the recipient. However, because the message text is 
wrapped in a binary file, the recipient cannot read it if the recipient’s e-mail 
application is not an S/MIME client. 

The existence of two possible signing formats has led to some difficulties in 
S/MIME interoperability. Some applications sign in “clear” format, some sign in 
“opaque” format; others give the user a choice. The applications that support both 
formats for outgoing signed messages are guaranteed to be able to successfully 
interoperate with every other S/MIME application. 

Support for Multiple Algorithms and Key Sizes. All currently available S/MIME 
implementations use RSA for signatures; the keys that are used vary between sizes 
512/768/1024/2048. The hashing algorithm used within the signature could be SHA-1 
or MD5. Some S/MIME applications support only a subset of the above algorithms 
for incoming signed messages. In order for two S/MIME implementations to 
exchange signed messages, they must support a common set of algorithms and key 
sizes. Thus the implementations that support both hash algorithms and various RSA 
moduli, and allow the local user to select the algorithms to use for specific outgoing 
signed messages enable the greatest level of interoperability with other S/MIME 
implementations. 



3.5 Validating Incoming Signed Messages 

Support for Opaque/Clear Signed Message Formats. Support for both signed 
message formats for validating incoming signed messages provides the highest level 
of interoperability with other S/MIME implementations that may support only one of 
the formats for outgoing signed messages. See similar subsection above for further 
details. 

Support for Multiple Algorithm Choices and Key Sizes. Support for multiple hash 
algorithms and various moduli for the RSA signature keys for validating incoming 
signed messages promotes interoperability with a large number of sending clients. See 
similar subsection above for further details. 



X.509v3 Certificate Path Validation. S/MIME Version 2 specifies the use of 
X.509v3 certificate path validation mechanisms for S/MIME implementations; 
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support for this type of path validation allows an S/MIME application to parse 
complex certificate chains to establish trust in peer certificates. All S/MIME 
applications that we have tested have the capacity to validate flat certification 
hierarchies, namely, the CA issues certificates to S/MIME users in a one level deep 
hierarchy. However, many implementations do not support the validation of 
certificates that are part of a multiple level hierarchy. In order to interoperate with the 
largest possible set of peers (some of which may send out signed messages with 
certificate chains that are part of a multiple level hierarchy), it is very useful if an 
S/MIME implementation supports fully compliant X.509v3 path validation. 



3.6 Encrypting Outgoing Messages 

In S/MIME, Version 2, an encrypted message is constructed as follows: a random 
symmetric key is used to encrypt the message, and the recipient’s public key is used 
to wrap the symmetric key for key transfer purposes. On the recipient’s side, the 
corresponding private key is used to unwrap the symmetric decryption key, and the 
latter is used to decrypt the message. 

Support for Multiple Algorithm Choices and Key Sizes. The S/MIME Version 2 
specification allows the use of various symmetric algorithms and key sizes for 
message encryption, and various RSA moduli for key exchange. Currently, S/MIME 
applications support one or more of the symmetric encryption algorithms, DES, Triple 
DES and RC2, with various key sizes. In order for an encrypted message to be passed 
between two S/MIME applications, both sides must support the same encryption 
algorithm and key size, and the same modulus for RSA key exchange. Some 
implementations support only a single algorithm and key size for encryption, or a 
single modulus for RSA keys. The implementations that support all or a large subset 
of the available algorithms provide the greatest level of interoperability with peer 
implementations with a limited set of algorithms. 



3.7 Decrypting Incoming Messages 

Selection of Local User Certificate for decryption. When the local user possesses 
more than one certificate, and receives an encrypted S/MIME message, the correct 
certificate and private key needs to be selected to decrypt the message. Some 
implementations leave the selection of the appropriate private key (from the set of 
available private keys) to the user. Others allow a transparent selection of the 
appropriate private key for decryption; this is very useful feature in environments 
where users routinely possess certificates from multiple public key infrastructures, 
and use them for communicating with peers from disparate trust domains. 

Support for Multiple Algorithms and Key Sizes. See similar subsection above for 
details. 
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4 Usefulness of the Interoperability Characteristics 

The characteristics and properties outlined in this paper provide us with a greater 
insight into the issues that affect the interoperability of a S/MIME implementation in 
a real-world scenario. Ideally, the S/MIME specification should be capable of 
addressing each of these issues and setting minimum requirements to allow a base 
level of interoperability between all compliant implementations. Understanding the 
intricacies of the various choices that can be made within the scope of the S/MIME 
Version 2 specification may help to fine tune the future S/MIME specifications. 

Understanding the characteristics that affect interoperability also helps vendors of 
S/MIME products understand the implications of the implementation and design 
choices they make for their products. Knowledge of these characteristics is also 
important to the community of S/MIME product users and procurers. Users who are 
aware of their own environments with respect to the deployment of PKI products will 
be able to make an informed decision about which subset of the characteristics 
presented in this paper are relevant to their interoperability needs. Having defined 
their idealized profile for S/MIME products, they can then evaluate the available 
implementations from the various vendors and select the one that scores highest in the 
evaluation based upon their customized needs. 

The characteristics described in this paper were derived through a study of the 
S/MIME specification and experimentation with S/MIME implementations. However, 
we believe that a large subset of these characteristics are also applicable to most other 
public key infrastructure based secure communication protocols, and their 
implementations. The lessons learned through the study of S/MIME should be easily 
transferable to other similar domains. 



5 Analysis of the S/MIME Version 3 Specifications with Respect 
to the Interoperability Characteristics 



S/MIME Version 3 uses the CMS instead of the PKCS#7 standard to build the 
S/MIME objects. CMS supports a set of signed attributes that are encapsulated within 
the signerinfo data type that is a part of each S/MIME signed object. CMS allows 
object identifiers (OIDs) for preferred algorithms to be conveyed using these signed 
attributes. However, there does not appear to be a way to support the conveyance of 
other critical information for the sender, such as signature format preferences, or trust 
anchors known to the sender, etc. Additionally, these capabilities seem to be 
supported only when a signed message is sent. When the enveloped data content type 
is used, only a limited set of originator information (certificates and CRLs only) may 
be included in the message - there does not appear to be a way for the originator to 
include their algorithmic preferences to their peers. 

A deficiency that continues to exist in the Version 3 specification is that there is no 
mandate to support a particular signature format (opaque versus multipart). As we 
have noted in this paper, a number of the interoperability problems were related to the 
support of only one or the other signature formats in Version 2 products that we 
tested. It would be desirable to establish a baseline for the supported signature formats 
- this would allow a minimal level of interoperability between all S/MIME 
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implementations. Thus, we would recommend that the S/MIME specification be 
augmented to require that both sending as well as receiving agents MUST support the 
opaque signature format. In addition, sending and receiving agents SHOULD support 
the clear signing format to allow non-S/MIME capable mail agents to display the 
message contents. 

A desirable feature of Version 3 specification is that it supports the ability to 
dynamically import additional trust anchors into an S/MIME product. Receiving 
agents MUST support the import of additional trusted roots and certificate chains 
from incoming S/MIME messages. During the import of additional trust anchors, 
receiving agents SHOULD allow the user to select whether or not to trust new root 
certificates that were imported. Other methods to allow import of additional trust 
anchors would also be desirable (for example, the import of self-signed .p7c files 
from a floppy). 



6 Conclusions 

In this paper, we have described a number of important properties that affect the 
ability of an S/MIME implementation to interoperate with its peer implementations. 
However, there are other issues that also affect the suitability of an implementation 
within a particular environment. 

The usability characteristics of an implementation go a long way to promote the 
usage of the product. If secure email products provide daunting user interfaces, they 
will not be widely. One obvious recommendation to heightened user friendliness 
would be to transparently support the digital certificates of peers within the address 
book mechanisms provided by the basic email package. Thus, when a signed message 
comes in, the local user can add the sender to their local address book and thereby 
transparently add the sender’s certificate to the address book entry. Conversely, when 
sending out encrypted email, the local address book could be used to select the 
receiver and transparently select the receiver’s certificate (if present as part of the 
address book entry.) 

Most current implementations also have little or no support for revocation 
checking of certificates. As public key infrastructures become widely deployed, the 
very real management problems such as certificate revocation need to be handled 
within the applications using the infrastructure. 

In conclusion, we would like to point out that it is heartening to see the widespread 
adoption of the S/MIME secure electronic mail standard, and the availability of 
commercial products based upon the standard. Despite the fact that public key 
infrastructure technology is still in its infancy, and the standards are continuously 
evolving, the S/MIME vendors are making considerable progress in resolving the 
existing barriers to interoperability. In the near future, users will find that security 
services will be integrated into most e-mail applications. 
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8 Appendix 

These are the products that were tested in order to derive the characteristics described 
in this paper: 

• Baltimore Technologies MailSecure Exchange Plug-in Version 2.1 

• WorldTalk WorldSecure Eudora Plug-in Version 3.05 

• WorldTalk WorldSecure Exchange Plug-in Version 3.0 

• Netscape Messenger Version 4.05 

• Microsoft Outlook Express Version 5.0 Beta 2 

• Microsoft Outlook 98 
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Abstract. This paper introduces the barriers of interoperability that exist 
between the X.509 and EDIFACT Public Key Infrastructures (PKI), and 
proposes a solution to remove them. The solution goes through the DEDICA* 
(Directory based EDI Certificate Access and management) Project. The main 
objective of this project is to define and to provide the means to make these two 
infrastructures inter-operable without increasing the amount of information to 
be managed by them. The proposed solution is a gateway tool interconnecting 
both PKIs. The main goal of this gateway is to act as a TTP that "translates" 
certificates issued by one PKI to the other’s format, and then signs the 
translation to make it a new certificate. The gateway will, in fact, act as a proxy 
Certification Authority (CA) of the CAs of the other PKI, and will take the 
responsibility of the certified data authenticity, on the behalf of the original CA. 



1. Introduction 

The security services based on asymmetric cryptography require a Public Key 
Infrastructure (PKI) to make the public key values available. 

Several initiatives around the world have caused the emergence of PKIs based on 
X.509 certificates, such as SET (Secure Electronic Transaction) or PKIX (Internet 
Public Key Infrastructure). Another PKI type is the one based on the EDIT ACT 
certificate. These infrastructures are not interoperable, mainly due to the fact that the 
certificates and messages are coded in different way (ASN.l and DER are used for 
X.509 PKI, whilst EDIEACT syntax is used for EDIEACT PKI). 



* This project has been funded by the EU Telematics program and the Spanish CICYT, and has 
been selected as one of the pilot projects to promote the telematic applications by the SMEs 
by the G7. 

R. Baumgart (Ed.): CQRE’99, LNCS 1740, pp. 242-250, 1999. 
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DEDICA (Directory based EDI Certificate Access and management) is a research 
and development project. Its main objective is to define and to provide means to make 
the two above-mentioned infrastructures inter-operable without increasing the amount 
of information to be managed by them. The proposed solution involves the design and 
implementation of a gateway tool interconnecting both PKIs: the certification 
infrastructure, based on standards produced in the open systems world, and the 
existing EDI applications, which follow the UN/EDIEACT standards for certification 
and electronic signature mechanisms. 

The main goal of the gateway proposed by DEDICA is to act as a Trusted Third 
Party (TTP) that “translates” certificates issued in one PKI to the other’s format, and 
then signs the translation to make it a new certificate: a derived certificate. In this 
way, any user certified, for instance, within an X.509 PKI could get an EDIEACT 
certificate from this gateway without having to register in an EDIEACT authority, 
saving not only time and money, but also allowing the users to use the same private 
key for both environments. The gateway will act, in fact, as a proxy Certification 
Authority (CA) of the CAs of the other PKI. 

The figure 1 shows the DEDICA gateway context. Each user is registered in his 
PKI and accesses the certification objects repository related to its PKI. The DEDICA 
gateway must be able to interact with the users of both PKIs in order to serve requests 
from any of them. It must also be able to access the security object stores of both 
PKIs, and to be certified as EDIEACT and X.509 CAs. 




Fig. 1. DEDICA gateway context. 
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2. Functionality of the gateway 

The interoperability problem between the X.509 and EDIT ACT PKIs was focused by 
the DEDICA project in two levels: . 

1. The different formats of the certificates: The DEDICA consortium, after an in- 
depth study of the contents of both types of certificates, specified a set of mapping 
rules that makes possible the two-way translation of both types of certificates. 

2. The different messages interchanged by the entities of the PKIs: whereas in the 
EDIEACT world the UN/EDIEACT KEYMAN message is used to provide 
certification services, in the X.509 world a set of messages specified for each PKI 
(PKIX on the Internet, for instance) are used. 

The DEDICA gateway assumes the role of a TTP for users of both infrastructures. 
The gateway accomplishes a process of certificate translation from EDIEACT to 
X.509 and conversely; however this translation process is not strictly a mapping at 
level of certificate formats, since the gateway adds a digital signature to the 
mapped data. In addition to that, in some cases, it is not possible just to move data 
from one certificate to the other, due to format restrictions (size, encoding). In these 
cases the gateway has to generate tagged data for the derived certificate, that will 
allow it to reproduce the original data, kept in internal records (e.g. names mapping 
table, see fig. 3). When the X.509 certificate has private extensions, the gateway will 
just ignore them, since they are assumed relevant only to other applications. 

Eull details of the mapping mechanism between both infrastructures may be found 
at: http://www.ac.upc.es/DEDICA/ and at DEDICA CEC -Deliverable WP03.DST3: 
Final Specifications of CertMap Conversion Rules [5]. The DEDICA gateway is able 
to offer a basic set of certificate management services to users of different 
infrastructures: 

1. Request of an EDIEACT certificate from an X.509 certificate generated by an 
X.509 CA. 

2. Verification of an EDIEACT certificate generated by the DEDICA gateway 
(coming from the mapping of an X.509 certificate). 

3. Request of an X.509 certificate from an EDIEACT certificate generated by an 
EDIEACT CA. 

4. Verification of an X.509 certificate generated by the DEDICA gateway (coming 
from the mapping of an EDIEACT certificate). 

The above requests will be carried out making use of the appropriate messages 
from the infrastructure: KEYMAN PACKAGES for EDIEACT, and PKIX for 
X.509. 



2.1. Request of a derived certificate 

In the scenario shown in Eigure 2, an X.509 user (user X) that may want to send 
EDIEACT messages to an EDIEACT user (user E) using digital signatures or any 
security mechanism that involves the management of certificates. This user needs a 
certificate from the other Public Key Infrastructure (in this case, the EDIEACT PKI). 
He then sends an interchange to the gateway requesting the production of an 
EDIEACT certificate “equivalent” to its provided X.509 one. This interchange will 
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contain a KEYMAN message (indicating a request for an EDIFACT certificate) and 
the X.509 certificate of this user in an EDIFACT package (EDIFACT structure 
capable of containing binary information). 

The gateway will validate the X.509 certificate. If the certificate is valid (the 
signature is correct, it has not been revoked, and it has not expired), it will perform 
the mapping process, and will generate the new EDIFACT certificate. After that the 
gateway will send it to user X within a KEYMAN message. 

Now user X can establish a communication with user E using security mechanisms 
that involve the use of electronic certificates through the new EDIFACT certificate, 
sending him an EDIFACT interchange with this certificate. 



2.2. Validation of a derived certificate 

Following the process described in the previous section, user E, after receiving the 
interchange sent by user X, requests validation of the certificate generated by the 
DEDICA gateway by sending the corresponding KEYMAN message to the gateway. 

The gateway determines whether the EDIFACT certificate has been generated by 
itself, and proceeds with the validation of the original X.509 certificate, to find out 
whether it has been revoked or not, and of the derived EDIFACT certificate. The 
EDIFACT user could only check the derived certificate, since it has no access to the 
original environment. The general process of validation of derived certificates is as 
follows: 

1. It verifies the validity of the derived certificate. This requires checking of: 

(a) The correctness of signature, using the public key of the gateway. 

(b) Whether the certificate can be used in view of the validity period. 

2. The gateway accesses to the X.500 Distributed Directory, in order to get the 
original X.509 certificate and the necessary Certificate Revocation Lists (CRL). 

3. It verifies the signature of the original certificate, and checks the validity period. 

4. The gateway verifies the certification path related to the original X.509 certificate, 
and checks that its certificates have not been revoked. 

Now the DEDICA gateway will send the positive or negative validation response 
to the EDIFACT user within a KEYMAN message. 



3. Gateway architecture 

The DEDICA gateway has two main architectural blocks: the CertMap and the 
MangMap modules. 



3.1. CertMap module 

The CertMap module is responsible for performing the certificate translations 
following the mapping rules specified by the DEDICA consortium in Deliverables 
WP03.DST3 ( [5] ). 

The CertMap is composed of three main modules: the CM_Kernel module, the 
EDIFACT certificate coding/decoding module, and the set of APIs needed to allow 
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the CM_KE to interact with external software tools (the ASN.l API and the 
Cryptographic API). 

The CM_Kernel module (CM_KE) coordinates the operations performed by all 
the other CertMap modules. Four groups of information presents in both certificates 
have been identified: Names, Algorithms, Time and Keys. For each one of these 
groups, inside the CM_Kernel, a software module implements the appropriate 
relevant translation process: the CM_Names, the CM_Algorithm, the CM_Time and 
the CM_Keys modules. 



Request of certificate 
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Fig. 2. Functionality of the DEDICA gateway 

Mapping between X.509 and EDIFACT certificates. The Certificate Mapping 
Rules developed in DEDICA were designed in such a way that the translated 
information was relayed as precisely as possible from the original certificate to the 
derived one. A number of issues had to be taken into account: 

• Specification syntax and transfer syntax for the transmission. The EDIFACT 

certificates are specified following the EDIFACT syntax, and they are 
transmitted coded in printable characters. However, in the X.509 environment the 
ASN. 1 Abstract Syntax and the DER rules are used. 

• Naming System. In the X.509 world, the basic mechanism of identification is the 

DN (Distinguished Name) [6] , which is associated with an entry in the DIT 
(Directory Information Tree) of the X.500 Distributed Directory. On the other 
hand, the EDIFACT certificate supports both codes (i.e., identifiers assigned by 
authorities) and EDI party names. The DEDICA gateway performs a name 
mapping between the DNs and the EDI Names, according to guidelines defined 
in EDIRA (EDIRA Memorandum of Understanding) [7] . EDIRA proposes an 
identification mechanism compatible with the DN strategy in X.500. The 
DEDICA Deliverable WP03.DST2( [4] ) contains the specifications of the 
conversion rules that are used by the CertMap module to execute the mapping 
between DNs and EDI Names. 
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• Extension mechanism. Version 3 of the X.509 certificate has an extension 

mechanism that allows it to extend the semantics of the information that it carries 
out. However, at present the EDIFACT certificate does not have any extension 
mechanism, and its syntax specification does not allow to specify such a wide 
variety of information. In the mapping of X.509 certificates version 3, only the 
following extensions will he mapped: keyUsage and subjectAltName. Other 
extensions, mainly the private ones, even if they are tagged as critical for the 
intended applications of the original certificate, are ignored, since we assumed 
that user and issuer know and accept the EDIFACT certificate format, when they 
make the application for a derived certificate. 

• Digital signature. When the gateway finishes the mapping process, it 

automatically generates a new digital signature. In the certificate field identifying 
the issuer entity, the DEDICA gateway identifier will appear, instead of the 
original certificate issuer identification. 

The figure 3 shows the internal structure of the CertMap module. It also shows the 
sequence of operations that will take place inside the CertMap to generate an 
EDIFACT certificate from the initial X.509 one. 




Fig. 3. Mapping process from X.509 to EDIFACT 



3.2. MangMap module 

The MangMap module of the DEDICA gateway converts certain operations of the 
KEYMAN message into equivalent operations (messages) in the X.509 PKI 
(including X.500 access). 
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MangMap is also the general management module for DEDICA gateway. It 
receives all the requests sent to it and chooses which information has to be recovered 
from external repositories, what type of translation is needed, and what results must 
be generated and sent to the requesting entity. 



Internal structure of the MangMap module. The main blocks of the MangMap are 
shown in Figure 4, and its functionality may be summarised as follows: 

• MangMap Kernel (MK) module 

The Kernel module of the MangMap controls all the actions within the DEDICA 
gateway and co-ordinates the co-operation between the different DEDICA 
modules. 

• KEYMAN Handling (KH) module 

On reception of KEYMAN messages from an end user, it checks the protection 
applied to the KEYMAN, analyses it, interprets the message and converts it into an 
internal request to the MangMap Kernel block. On reception of requests from the 
MangMap Kernel block, it builds KEYMAN messages, applies the required 
protection and makes the KEYMAN available to the communication services. 

• X.509 Public Key Infrastructure Messages Handling (XH) module 

On reception of relevant X.509 public key infrastructure messages from an end 
user, XH module checks the protection applied to the message, analyses it and 
converts the message into an internal request to the MK. 




Fig. 4. Structure of the DEDICA gateway 
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XH is also able to access the X.500 Directory in order to get X.509 certificates, 
revocation lists and certification paths. XH will be able to send requests to X.500 and 
to obtain and interpret answers from it. Due to the complexity of DAP, the XH 
module uses the LDAP (Lightweight Directory Access Protocol) [8] interface to 
access the X.500 Directory. LDAP offers all the functionality needed to interact with 
the X.500 Directory at much lower cost. 

On reception of requests from MK, it builds relevant X.509 public key 
infrastructure messages, applies the required protection and makes the messages 
available to the communication service. 



4. Conclusions 

This work has proved the suitability to launch a TTP service to translate security 
objects between different protocol environments. The problems found in this project 
are of general nature, and the solutions adopted here may be extrapolated to any other 
pair of environments. 

Other arising PKI services, like SPKI or UMTS (Universal Mobile Telephone 
System), or XML-EDI are potential candidates to use the results of this work. But it 
will be possible to extend the results of this work to other TTP services, like Time 
Stamping, Attribute certification, etc. 

The data type conversion based on translation table may solve any format 
incompatibility, and the message mapping strategy used to handle the different 
certificate management strategies may also overcome with almost any mismatching 
services between the two protocols being linked. 

As far as both, environments and protocols, have the same goals, the details of data 
and service elements not having a corresponding element on the other environment 
may either: 

a) be just overridden because it is not useful in the destination application, or 

b) be replaced by an equivalent data or service element with similar meaning in the 

destination protocol. 

The interoperability between the X.509 and EDIFACT PKIs can be greatly 
enhanced by facilities such as the DEDICA gateway, which acts as a TTP capable of 
offering a basic set of certificate management services to users of both infrastructures. 

The DEDICA project has set up a gateway to translate the security objects between 
X.509 and EDIFACT. This solution also provides interoperability between EDIFACT 
and all the other tools used in electronic commerce, since all of them authenticate the 
entities using X.509 certificates. 

The DEDICA gateway is being integrated in several pilot schemes and projects in 
the context of electronic certification, such as the TEDIC system, the AECOC-UPC 
EDI over Internet project, or in the SAFELAYER^ X.509 Certification Authority. 

The DEDICA service is interesting to both the large enterprises and SMEs, 
although this gateway is mostly interesting to SMEs. This is because it allows them to 
use security in the interchange of messages, without the need to pay registration fees 



^ Safelayer Secure Communications S.A. is a company provider of PKI and SET software 
solutions <http ://www. safelayer.com> 
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in several infrastructures. This was the reason for which DEDICA was selected as one 
of the G7 pilots projects to promote the use of information technology by the SMEs. 

The main advantage for the user will be to share the authentication mechanism 
(digital signature, tools, etc.) between the various applications where they can be 
applied, avoiding the burden of having to register with various services in order to 
satisfy one single user requirement. 

Moreover, the service has been quickly deployed and made available, thanks to the 
fact that no additional registration infrastructure is needed, due to its compatibility 
with the EDIFACT and X.509 infrastructures. This service will promote the use of 
Internet by EDI applications (since it will allow them to secure the Interchanges 
which has been identified) in spite of the major barriers to the deployment of EDI 
over Internet in the past. 

Within the project, several pilot schemes have been launched to demonstrate the 
system in the following fields: customs, electronic chambers of commerce, tourism, 
electronic products manufacturers, EDI software providers and electronic payment in 
banking and public administration. 
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tri id 


ti atio . Its r 


liabilit 


is 0 1 i 


pro d b 


ti al 


a 


i 


g 


i 


is ig 1 r 


j t d b 


al 


s rs for 


si g las 


r s a i g : 


i sid t 








ai 


disad a tag of t is t 




iq is 


0 1 its 


ig ost, 


ot 0 1 


0 


0 


i al b t 


also 0 p 


tatio al. 


t 


ot r 


a d, Ha 


d 0 tr 


as r 




t 


as 


0- 


s as a 


di / ig 


s 


rit t 


iq 


it a di 


q ip 




t 


ost, 


lo 



o p tatio al ost a d r lo t plat si . ft r t is i trod tio , a bri f 

pla atio of bot s st s ( rst iris patt r , folio d b a d g o tr ) ill 

b gi . ai r s Its a i d it bot t iq s ill b s o , di g 

t is or it t al o 1 sio s obtai d. 




Sa e f 
fea e e ac 



he ef a ha he gh bef e e ce g a 



Ir r c 



ro all bio tri t iq s o toda , iris r og itio is o sid r d to b 
t ost pro isi g of all for ig s rit iro ts. is t iq pr s ts 
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s ral ad a tag s o par d to ot r t iq s, it o 1 o ai disad a - 
tag : t ost. t o sid ri g t o rail osts t at s ppos t i stallatio of 

a ig s rit s st , t is disad a tag o Id b i i i d. 

Iris r og itio is bas do t ara t ri atio of t patt r of t iris, 

di al a d for si st di s a pro t at a iris as ig r i it t a 
ot r t iq s, i. . t probabilit of di g t o iris patt r s id ti al is 
arl 11 (id ti al t i s do ot a t sa iris patt rad t to 
s of t sa p rso a diff r t patt r s). ot r stro g ara t risti 

oft is t iq is t stabilit of t patt r . ft r t adol s t patt r 
as o pi t 1 ol d a d t prot tio of t or a a s a odi atio 
i t patt r i possibl , 1 ss a ajor i j r d stro s part of t ad, 

of o rs , t isio of t s r. iologi al st di s a affir d t at t iris 
patt r is ot i fl d b ag , a d o o isio ill ss as opia or 

atara t do ot aff t iris s i a s s . 11 t i it of t is t iq 

1 ads to a als pta at ( ) arl 11, il its stabilit alio s to 

r a r all lo als j tio at s ( ). 

Iris r og itio s st s do ot s ff r fro ig s r r j tio d to t s 

of id o or p otograp a ras, i st ad of las r b a s s as t o s s d for 
r ti al s a i g i 1 ads to o sid r t latt r t iq so o i asi . 
o t rf iti g a iris is arl i possibl 1 ss a ol s rg r is ad i t 
it t t r at of losi g t isio i t at . s of o ta t 1 s s 

it a op of ot r s r’s patt r pri t d o it is asil dt tdb as oft 

o ti o s i ol tar o t of t iris, i is ot pr s t i a pri t d 
o . 
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s t rst pro ss, t 


iris lo atio a d isolatio is p rfor 
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is is p 


rfor 
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ta i g pro t fro t 


ir lar patt r 


of t iris it 
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st d 


i g 
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rst d ri at of t it 


sit of t i 


ag aro d a ir 
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it 
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tr 


a d 


ariabl radi s s 
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sa pro ss is p rfor d to 


li i at t p 


pil fro 


t iris. 




isolat d, t r s Iti g 


i ag is str t 


d for b tt r pro 


ssi 


g- 


a 


1 t 


Itir sol tio a al sis is arri dot 


ral Itir sol 


tio 


algorit 


s 


a 


b st di d ( .g. [2], 


[ ] a d [6]) a 


i i g b st r s 


Its 


it 


r al s 




tri 



abor It ri g 



G{x, y) = exp\- 



(x osO + y si 9) 



(xsi 9 — y os 9) 



os{2ttui{x os9 + ysi 9)). 



( 2 ) 
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ft r obtai igt altoffiits, ard dstoft asb sl- 
t d t ro g pri ipal o po t a al sis. it t s t of data os , a pri ar 
patt r is for d. is patt r is s d i t r statisti al d isio s s for 
t ri atio pro ss: lid a ad Ha i g dista sad a ssia i - 

t r od Hi g ( ) [7]. I t is appli atio , dista s b t at ti s 

a d i post rs ar so diff r t (aro d . for a t ti s a d . for i post rs), 

t at a i rsal t r s old o Id b appli d, b i g s fR i t t sag of 

lid a ad Ha i g dista s i st ad of s, it t ad a tag of lo r 
o p tatio al ost of t for r t o o par d it t latt r. 

r r 

i porta of a d g o tr as a bio tri t iq r li s o its 

di /lo ost a d o its gr at a pta b t s r bas do t folio i g 
t r ai poi ts: it as ot a poli i pli atio ( .g. g rpri t ri atio 
is los 1 r lat d to poli for ost of t s rs), t s st is r all as to 
s ( ot li sp a r ri atio itotbigtrog atlpo or iris r o- 
g itio ) a d it do s ot i pi p si al i asio s of s r’s ital orga s (s as 

s i r ti al s a i g). s it ill b s o , t r ar ot r fa ts t at a 

a d g o tr a opti al sol tio for so s rit iro ts, s as t 
t plat si i is t lo st of all t bio tri t iq s isti g toda . 

t t ai disad a tag of t is t iq is t ”la ” of s rit . o - 
par d to o o 1 o sid r d ig s rit t ods (li g rpri t, iris a d 
r ti al s a i g), a d g o tr ad g r s ar ig r, d to 

t lo r i it a d stabilit of t a d t plat o par d it t abo - 
tio d t iq s. i it a d stabilit ar t o ara t risti s of a bio 
tri t iq t at a b st di d s parat 1 . a s of t lo i it of t 
go tr of t a d (i. . t possibilit of di g t o a ds id ti al), t is 
t iq is ot r o d d for ig s rit iro ts, b t t 1 1 of 

s rit it gi s, a s t is t iq alid for di s rit a ss o trol 
s st s or s. lo stabilit of t a d g o tr is a probl t at a 
b sol d i to a s: b p rfor i g r lati as r s a d/or b adapt! g t 
t plat a ti t s r is a t ti at d b t s st 

3. p r r pr c ss r c r c 

s i a bio tri s st t rst st p is t sig al apt r . I a d g o tr 

a digital a ra is s d for t is tas . i ag apt rdsos otol t 
r rs of t pal b t also t lat ral i of t ad i ill s r as a 
ig ti g fa tor for t f at r s tra t d. p oto ill b ta t 

a d is orr tl pla d i t s st , as it ill b i di at d b positio a d 

pr ss r s sors. 

ppl i g gradi t as 1 1 iq s, t dg of t a d is q i 1 obtai d, 
a d r ad to p rfor t f at r tra tio . ral para t rs r as r d, 
fro t idt oft pal ad g rs, tot 1 gt a d ig t of t latt r. 
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a gl s for d i t p ala g joi ts r also ta i to a o t. pri ipal 

o po t a al sis as b do to s 1 t t para t rs t at ill b s d 
it s r’s t plat . bsol t as r s, as 11 as r latio s b t t 
a ta part it a al sis. orr tio s a b ad a ordi g to t 
pr ss r do b t s r. a al sis s o d t at it a lo b r of 

para t rs, s as of t , satisfa tor g r s for ad a b 

obtai d. I r asi g t b r of para t rs, ad data o Id b 

d r as d. it prop r para t r odi atio , t t plat si o Id b fro 

9 to 2 b t s, i a s t is t iq id al for i i i i g t plat storag 

a d lo ri g o p tatio al ost of t ri atio pro ss. 

ft r a al si g diff r t ri atio t ods, fro t os bas d i tri s 

( .g. Ha i g a d lid a dista s), to t o s bas do t statisti al 

d isio t or ( .g. a ssia i t r od Hi g), a d o sid ri g t ral 
t or approa it ad radial basis f tio s, t r s Its obtai d s o 

t at t t od it t b st rat b t op tatio al ost a d + 
is t Ha i g dista , alt o g for b st r liabilit s ar r o d d 

(as s it t s tio ). 

3. I pr 

it t s st d lop d as plai d abo , o rail rror rat is b lo %. 
r latio b t , a d t is rat o Id b odi d (as said) pla - 

i g it t t r s old al , d p di g o t sp i ds of t s st . t 
t stabilit li itatio s t at t is t iq as, ar s o t is s st is 

sdo ralogp riod of ti . d It s rs gai i g or losi g ig t a a g 
absol t as r s, a d if t ig t diff r is larg o g , a a g 
a app ar i t r lati as r s. t ot r a d, o -ad It s rs (i. . 
s rs i t ir gro i g ars), a g o ti o si t ir as r s. It o g t 

latt r as is ot i porta t i ost iro ts, t i pro t r port d b 
t at ors also sol s it. is i pro t is alidat d bas d o t o pot - 

s s: 

S3 gai i g or losi g of ig t or ig t, i ol o og os 

a g s i a d g o tri as r s, a gi g absol t as r s b t ot t 
r lati o s. 

S3 sp d of a gi g t a d f at r s, is slo o g to 

o sid r t at o i porta t ariatio ill o r i a p riod of o 

rst pot sis sol s ost of t probl s b ta i g r lati as r s 

i st ad of absol tos. astot sod pot sis, stro g r prot tio 

a b i 1 d d i t bio tri t plat s t ro g adaptatio . is adapta- 
tio s o Id o sid r ot t a g i a si gl att pt, b t t ol tio of a 

s t of t . or a pi , t last s ssf 11 r og i d att pts o Id 
b a rag d it t t plat , aft r si g a ig ti g fa tor for a of t s 
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pro 
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stabilit 
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f at r 


s is i r as 


d a 


d t 


r for , g r s 


r 




ai t 


sa 


t ro g 


0 t ti 
















it 


t is a 


rag 


pro 


ss, i 


fl 


of a pot 


tial 


i tr 


dr ro gl r og i- 




d 


as t 


s r 


a t 


ti 


at d, is r d 


d. If t s 


st 


is 


bas do t storag 


of t 


t 


plat 


s i 


a s 


r’s s 


art ard, i st ad of i 


a 


tral databas , t 


t 


r 


at is 


d r 1 


as d 




or , 


a d b 


a s t is 


t 


iq 


s s a r s all 



t plat ,0 or li itatio s 1st a d t a rag o Id b p rfor d 

it t last t or t t s ssf 1 att pts. rt r or , t at ati al 
op ratio s i ol d i t ol pro ss ar si pi o g to abl pro ssi g 
ti s b lo t os d d for ot r t iq s a d it 1 ss po rf 1 

i ropro ssors ( .g. si g -bit pro ssors). 

4 c 

ft r d sig i g a d d lopi g t bio tri s st s plai d abo , t ai 

r s Its obtai dab as p t d, it 11 for iris patt r r og itio 
ad lortato obtai d for a d g o tr (s ig. 2). 

Ho r, iris f at r tra tio s o Id b i pro d to lo r t it o t 

i r asi g t op tatio al ost. 
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R a RR f a e ec g a ha ge e ea e e 

t ot r a d, t r s Its obtai d it a d g o tr as r ts 

ar r satisfa tor , b i g abl to a i o rail rror rat s b lo % it a 
bas d ri atio algorit . If o p tatio al ost is a ig r stri tio , 
Ha i g dista s a a a alt r ati it t sa ri of i r asi g t 

0 rail rror rat p to 2 %, as it a b s it t ill stratio . 

i all t p rfor a of t ad bio tri s st as b a al s d 
trogotQ ots, it ad itott stabili atio i pro t, s o i g 

a i r as of t o adaptatio is pr s tad absol t as r - 

ts ar s d, il it t stabili atio t o rail rror rat as b pt 

1 si ilar g r s. 
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it t r s Its obtai d, bot t iq s a b i pi t d i s all 
b dd d s st s, s as a s art ard. ri atio rat s obtai d ar 

satisfa tor for ost of t appli atio s si ar 1 ss t a %, alt o g for 
ig s rit iro ts iris r og itio is r o d d. 
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